Re: How to "Bucket" Certain Field Values into a ne...

atebysandwich · ‎03-16-2023

I have a lookup of vulnerability scan data that includes fields such as hostname, IP, OS, CVEs, etc. I would like to put all OSs that are specified as a desktop OS as a field value named Desktop; anything that is specified as a server OS as a field value named Server but add an extra layer of specification if it's Unix or Windows; and anything with a network OS specified as Network and then put those field values in a new field called OS_Specified

Here is an example of the OS's I would like to categorize.

Desktop

Windows 10 Enterprise 64 bit Edition Version 1803
Windows 10 Enterprise 64 bit Edition Version 21H1
Windows 10

Server

Red Hat Enterprise Linux 8.7
Windows Server 2012 R2 Datacenter 64 bit Edition
Windows Server 2016 Datacenter Version 1607

Network

Cisco Nexus Switch
CentOS Linux 8.4.2105

I'm assuming eval and/or rex is going to need to be involved, and that is where I would need assistance.

I feel like my ask is similar to This but a little more involved.

richgalloway · ‎03-16-2023

A series of case statement should do the job.

| inputlookup mylookup.csv
| eval Desktop = case(match(OS, "Windows 10"), 1, 1==1, null())
| eval Server = case(match(OS, "Windows Server"), 1, 
                     match(OS, "Red Hat"), 1,
                     ``` Insert matches for other OSs here```
                     1==1, null())
| eval Network = case(match(OS, "Cisco", 1,
                      match(OS, "CentOS Linux", 1,
                      1==1, null())

---
If this reply helps you, Karma would be appreciated.

How to "Bucket" Certain Field Values into a new Field?

count

eval

fields

lookup

other

regex

rex

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector