I've imported a .csv that has many fields, but the only one I care about has multiple values in it.
pluginText: <plugin_output>
Computer Manufacturer : VMware, Inc.
Computer Model : VMware Virtual Platform
Computer SerialNumber : This is what I REALLY need
Computer Type : Other Computer
"ect"..
</plugin_output>
I've tried extracting, and filtering, I believe Regex may work, but that is where I'm at.
sourcetype="tenable:sc:vuln"sourcetype="tenable:sc:vuln" pluginID=24270 | rex field=pluginText max_match=100 "\\n\s+-\s(?<SerialNumber>[^\\n]*)"
Latest try, still returns the event without isolating the string and value required.
Latest try, still returns the event without isolating the string and value required.
If you use "Smart Mode" and look in the left-hand side, do you see an additional field like SerialNumber? Alternatively, you can use | table SerialNumber pluginText as a test method to see if SerialNumber is extracted.
Yes, at this point I believe it will take a regex group capture. Using regex is extremely new to me, but from what I'm researching it may be the best option to tackle it.
"Yes" SerialNumber field is extracted (and has the right values)? Or yes otherwise? It seems that I'm missing some finer points in the requirement.
If you need specific pointers, you can post
No SerialNumber is not a field and cannot be extracted as a field. The field is "output_text" which has many lines of data that are seen as one value by spluck (.csv). If the Computer SerialNumber line cannot be extracted as a field, then I'm attempting to use regex to do a group capture involving the string itself.
What I meant to ask is whether the regex extracts SerialNumber.
| rex field=output_text "Computer SerialNumber: (?<SerialNumber>.+)"
(In my code from the other thread, the field would be named "serialNumber" instead of "SerialNumber".)
No upon executing your query it simply returns every event from the sourcetype, looking to the left at all fields does not show an extraction for "SerialNumber".
Maybe back to the beginning. Let's test with _raw.
| rex "Computer SerialNumber\s*:\s*(?<SerialNumber>.+)"
Note: I see a space between the string "SerialNumber" and the colon in your data illustration, but my previous code didn't address that. That was my omission. This one handles common variants vendors might print their data. If space handling is the problem, you can add back field restriction.
even when I use variations or use regex it seems to return every event in the sourcetype. Isolating the string " Computer SerialNumber" in the "InputText" field seems to be no Bueno
| spath input=pluginText ``` this gives you a field plugin_output ``` | rex field=plugin_output "Computer SerialNumber: (?<serialNumber>.+)"
Tried both solutions, at this point I'm working with rex to see if I can isolate the data needed.
Have you checked my answer in https://community.splunk.com/t5/Splunk-Search/Suggestions-for-Tenable-csv-field-extraction/m-p/60602... This field is not multivalued, just multi-line. Yes, rex should be able to help.