Splunk Search

How to put 4 field in table view but some field have long sentence so the table view was in organize?

karu0711
Communicator

I use mvzip command 

index=main sourcetype="ms.356"
| eval nested_payload=mvzip(mvzip(flaw, solution),answer)
| eval nested_payload=split(nested_payload,"--")
| eval flaw=mvindex(nested_payload,0)
| eval solution=mvindex(nested_payload,1)
| eval answer=mvindex(nested_payload,2)
| table flaw solution answer

what I use above command I get all 3 field value in flaw field separated by commons instead of their own field.
what I am doing wrong

Labels (4)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The default separator inserted by the mvzip command is a comma, so try splitting by comma

| eval nested_payload=split(nested_payload,",")
0 Karma

karu0711
Communicator

but when I use "," it spliting the my value where "," appeared.

in my value I have commas I don't want to split by commas. I want to split by different field only.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Use a delimiter that doesn't appear in your fields, for example:

| eval nested_payload=mvzip(mvzip(flaw, solution,"#"),answer,"#")
| eval nested_payload=split(nested_payload,"#")

 

0 Karma

karu0711
Communicator
index=main sourcetype="ms.356"
| eval nested_payload=mvzip(flaw, solution, "--")
| mvexpand nested_payload
| eval flaw=mvindex(split(nested_payload,"--"),1)
| eval solution=mvindex(split(nested_payload,"--"),0)
| eval nested_payload=mvzip(answer, COE, "--")
| mvexpand nested_payload
| eval answer=mvindex(split(nested_payload,"--"),1)
| eval COE=mvindex(split(nested_payload,"--"),0)
| table flaw solution answer COE
0 Karma

karu0711
Communicator

when I use above SPL I get field separately but my flaw and answer field value are repeating. on the first value relating for all.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please can you share an anonymised sample of the log you are trying to extract from?

0 Karma

karu0711
Communicator
Found 2 issues of Low severity.
CWE-209: Information Exposure Through an Error Message: tiles/error/errorUncaughtMessage.jsp:9
Details: <span> The application calls the javax.servlet.jsp.JspWriter.print() function, which may expose information about the application logic or other 
details such as the names and versions of the application container and associated components.  This information can be useful in executing other attacks 
and can also enable the attacker to target known vulnerabilities in application components. </span> <span>Ensure that error codes or other messages 
returned to end users are not overly verbose.  Sanitize all messages of any sensitive information that is not absolutely necessary.</span> 
<span>References: <a href="https://cwe.mitre.org/data/definitions/209.html">CWE</a></span>
https://downloads.veracode.com/securityscan/cwe/v4/java/209.html
CWE-245: J2EE Bad Practices: Direct Management of Connections: edu/ufl/osg/webmail/prefs/DBPrefsPlugIn.java:172
Details: <span>This call to getConnection() fails to use the J2EE container's resource management facilities as required by the J2EE standard.</span> 
<span>Request the connection from the container rather than attempting to access it directly.</span> <span>References: <a href="https://cwe.mitre.
org/data/definitions/245.html">CWE</a></span>
https://downloads.veracode.com/securityscan/cwe/v4/java/245.html​
Found 2 issues of Low severity.
CWE-209: Information Exposure Through an Error Message: tiles/error/errorUncaughtMessage.jsp:9
Details: <span> The application calls the javax.servlet.jsp.JspWriter.print() function, which may expose information about the application logic or other 
details such as the names and versions of the application container and associated components.  This information can be useful in executing other attacks 
and can also enable the attacker to target known vulnerabilities in application components. </span> <span>Ensure that error codes or other messages 
returned to end users are not overly verbose.  Sanitize all messages of any sensitive information that is not absolutely necessary.</span> 
<span>References: <a href="https://cwe.mitre.org/data/definitions/209.html">CWE</a></span>
https://downloads.veracode.com/securityscan/cwe/v4/java/209.html
CWE-245: J2EE Bad Practices: Direct Management of Connections: edu/ufl/osg/webmail/prefs/DBPrefsPlugIn.java:172
Details: <span>This call to getConnection() fails to use the J2EE container's resource management facilities as required by the J2EE standard.</span> 
<span>Request the connection from the container rather than attempting to access it directly.</span> <span>References: <a href="https://cwe.mitre.
org/data/definitions/245.html">CWE</a></span>
https://downloads.veracode.com/securityscan/cwe/v4/java/245.html
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not clear from this which field is flaw, solution and answer. Please can you show the results of 

| table flaw solution answer

for these events?

0 Karma

karu0711
Communicator

Flaw field

The application calls the javax.servlet.jsp.JspWriter.print() function, which may expose information about the application logic or other 
details such as the names and versions of the application container and associated components.  This information can be useful in executing other attacks 
and can also enable the attacker to target known vulnerabilities in application components.

Solution field

Ensure that error codes or other messages 
returned to end users are not overly verbose.  Sanitize all messages of any sensitive information that is not absolutely necessary

Answer field

https://cwe.mitre.org/data/definitions/209.html
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So, none of this text includes a hash (#) so use that as your delimiter on the mvzip and split commands (as I suggested earlier)

karu0711
Communicator

It still putting the field together. But when I use the Below SPL it is separating the fields as I want but first two felids are repeating first event field value. Why is this happening?

index=main sourcetype="ms.356"
| eval nested_payload=mvzip(flaw, solution, "--")
| mvexpand nested_payload
| eval flaw=mvindex(split(nested_payload,"--"),1)
| eval solution=mvindex(split(nested_payload,"--"),0)
| eval nested_payload=mvzip(answer, COE, "--")
| mvexpand nested_payload
| eval answer=mvindex(split(nested_payload,"--"),1)
| eval COE=mvindex(split(nested_payload,"--"),0)
| table flaw solution answer COE
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Because that's how mvexpand works - it duplicates all the fields not being expanded.

karu0711
Communicator

I am trying to accomplish here is getting all the event value in same row. when I you the table command ther is no row separation each event. Is there any way I can accomplish without using mvzip or mvexpand. and field also need to be searchable form dashboard.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Something like this?

| eval joined=mvappend(flaw,solution,answer)
| eval joined=mvjoin(joined,"
")

karu0711
Communicator

which query I use this?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=main sourcetype="ms.356"
| eval joined=mvappend(flaw,solution,answer,COE)
| eval joined=mvjoin(joined,"
")
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...