Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract multiple values for multiple fields within a single event?

rayaivy
Explorer
‎06-03-2019 05:25 AM

I have nessus data for Installed Windows Updates (PluginID 52001).
Here is a list of quick-fix engineering updates installed on the
remote system :

+ KB4091664
  - Description : Update
  - InstalledOn : 1/22/2019

+ KB4132216
  - Description : Update
  - InstalledOn : 6/28/2018

+ KB4465659
  - Description : Security Update
  - InstalledOn : 1/19/2019

+ KB4480977
  - Description : Update
  - InstalledOn : 1/22/2019

Note that for detailed information on installed QFE's such as InstalledBy, Caption,
and so on, please run the scan with 'Report Verbosity' set to 'verbose'.

or in raw

...\nHere is a list of quick-fix engineering updates installed on the\nremote system :\n\n+ KB4091664\n  - Description : Update\n  - InstalledOn : 1/22/2019\n\n+ KB4132216\n  - Description : Update\n  - InstalledOn : 6/28/2018\n\n+ KB4465659\n  - Description : Security Update\n  - InstalledOn : 1/19/2019\n\n+ KB4480977\n  - Description : Update\n  - InstalledOn : 1/22/2019\n\nNote that for detailed information on installed QFE's such as InstalledBy, Caption,\nand so on, please run the scan with 'Report Verbosity' set to 'verbose'.\n...

I tried using the field extractor to no avail.

Need HotFixID, HotFixDesc, HotFixInstalledOn

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alemarzu
Motivator
‎06-03-2019 08:33 AM

Hi there @rayaivy

Try like this.
... | rex max_match=0 "(?<HotFixID>KB\d+)[^\-]+-\sDescription\s:\s(?<HotFixDesc>[^\-]+)-\sInstalledOn\s:\s(?<HotFixInstalledOn>[\d\/]+)"

View solution in original post

Reply
Solved! Jump to solution
Solution

alemarzu
Motivator
‎06-03-2019 08:33 AM

Hi there @rayaivy

Try like this.
... | rex max_match=0 "(?<HotFixID>KB\d+)[^\-]+-\sDescription\s:\s(?<HotFixDesc>[^\-]+)-\sInstalledOn\s:\s(?<HotFixInstalledOn>[\d\/]+)"

Reply
Solved! Jump to solution

rayaivy
Explorer
‎06-03-2019 11:00 AM 
index=nessus pluginID=52001
|  rex max_match=0 "(?<HFID>KB\d+)[^\-]+-\sDescription\s:\s(?<HFDesc>[^\-]+)-\sInstalledOn\s:\s(?<InDate>[\d\/]+)"
| eval allVals=mvzip(HFID,mvzip(HFDesc, InDate,"~"),"~")
| expand allVals
| rex field=allVals "(?<HotFixID>[^~]+)~(?<HotFixDesc>[^~]+)~(?<InstallDate>.*)"
| table dnsName, HotFixID, HotFixDesc, InstallDate
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Celebrating the Winners of the ‘Splunk Build-a-thon’ Hackathon!

We are thrilled to announce the winners of the Splunk Build-a-thon, our first-ever hackathon dedicated to ...

Why You Should Register for Splunk University at .conf25

Level up before .conf25 even begins Splunk University is back in Boston, September 6–8, and it’s your chance ...

Building Splunk proficiency is a marathon, not a sprint

Building Splunk skills is a lot like training for a marathon. It’s about consistent progress, celebrating ...
li.common.scroll-to.top