Re: How to extract a Multi-Valued Field?

Minasdad · ‎07-18-2022

I've imported a .csv that has many fields, but the only one I care about has multiple values in it.

pluginText: <plugin_output>

Computer Manufacturer : VMware, Inc.

Computer Model : VMware Virtual Platform

Computer SerialNumber : This is what I REALLY need

Computer Type : Other Computer

"ect"..

</plugin_output>

I've tried extracting, and filtering, I believe Regex may work, but that is where I'm at.

Minasdad · ‎07-19-2022

sourcetype="tenable:sc:vuln"sourcetype="tenable:sc:vuln" pluginID=24270 | rex field=pluginText max_match=100 "\\n\s+-\s(?<SerialNumber>[^\\n]*)"

Latest try, still returns the event without isolating the string and value required.

yuanliu · ‎07-19-2022

Latest try, still returns the event without isolating the string and value required.

If you use "Smart Mode" and look in the left-hand side, do you see an additional field like SerialNumber? Alternatively, you can use | table SerialNumber pluginText as a test method to see if SerialNumber is extracted.

Minasdad · ‎07-19-2022

Yes, at this point I believe it will take a regex group capture. Using regex is extremely new to me, but from what I'm researching it may be the best option to tackle it.

yuanliu · ‎07-19-2022

"Yes" SerialNumber field is extracted (and has the right values)? Or yes otherwise? It seems that I'm missing some finer points in the requirement.

If you need specific pointers, you can post

Sample data (sanitize as necessary)
Expected output from sample data (including formating/listing considerations)
Sample code you have applied (reduce to the part relevant to the question)
Output from sample code, with an explanation why the output does not meet your expectation (it may not be obvious to others)

Minasdad · ‎07-19-2022

No SerialNumber is not a field and cannot be extracted as a field. The field is "output_text" which has many lines of data that are seen as one value by spluck (.csv). If the Computer SerialNumber line cannot be extracted as a field, then I'm attempting to use regex to do a group capture involving the string itself.

yuanliu · ‎07-19-2022

What I meant to ask is whether the regex extracts SerialNumber.

| rex field=output_text "Computer SerialNumber: (?<SerialNumber>.+)"

(In my code from the other thread, the field would be named "serialNumber" instead of "SerialNumber".)

Minasdad · ‎07-19-2022

No upon executing your query it simply returns every event from the sourcetype, looking to the left at all fields does not show an extraction for "SerialNumber".

yuanliu · ‎07-19-2022

Maybe back to the beginning. Let's test with _raw.

| rex "Computer SerialNumber\s*:\s*(?<SerialNumber>.+)"

Note: I see a space between the string "SerialNumber" and the colon in your data illustration, but my previous code didn't address that. That was my omission. This one handles common variants vendors might print their data. If space handling is the problem, you can add back field restriction.

Minasdad · ‎07-19-2022

even when I use variations or use regex it seems to return every event in the sourcetype. Isolating the string " Computer SerialNumber" in the "InputText" field seems to be no Bueno

| spath input=pluginText ``` this gives you a field plugin_output ```
| rex field=plugin_output "Computer SerialNumber: (?<serialNumber>.+)"

Minasdad · ‎07-18-2022

Tried both solutions, at this point I'm working with rex to see if I can isolate the data needed.

yuanliu · ‎07-18-2022

Have you checked my answer in https://community.splunk.com/t5/Splunk-Search/Suggestions-for-Tenable-csv-field-extraction/m-p/60602... This field is not multivalued, just multi-line. Yes, rex should be able to help.

How to extract a Multi-Valued Field?

fields

regex

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio