Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search field output?

David_M
Explorer
‎11-17-2022 12:15 PM

I am VERY new to splunk so please bear with me.  I have a search,

index=vulnerability "list of packages installed on the remote" myserver.com | rex field=output "\n{1,3}\s{2,4}(?<ProgramNameOutput>[^|]+)" max_match=5000 | table ProgramNameOutput

Which produces the following fictional output:

libhangul-0.1.0-8.el7
intltool-0.50.2-7.el7
libvert-7.6.1-120.el7
at-spi2-core-2.28.0-1.el7
spice-gtk3-0.35-5.el7_9.1
perl-Digest-MD5-2.52-3.el7
mesa-libvert-18.3.4-12.el7_9
hyperv-daemons-license-0-0.34.20180415git.el7
libsysfs-2.1.0-16.el7
openldap-clients-2.4.44-25.el7_9
libvirt-gconfig-1.0.0-1.el7
libpeas-gtk-1.22.0-1.el7
NetworkManager-adsl-1.18.8-2.el7_9
perl-Locale-Maketext-1.23-3.el7
 
So what I'd like to do is to pair that ProgramNameOutput down to only output that has "libvert" in it.
 
The output field looks similar to this, it's basically one big text block:
 
"output
Here is the list of packages installed on the remote CentOS Linux system :
 
libhangul-0.1.0-8.el7|(none) Mon 01 Nov 2021 12:06:47 PM EDT
intltool-0.50.2-7.el7|(none) Mon 01 Nov 2021 12:10:13 PM EDT
gdb-7.6.1-120.el7|(none) Mon 01 Nov 2021 12:06:15 PM EDT
at-spi2-core-2.28.0-1.el7|(none) Mon 01 Nov 2021 12:08:53 PM EDT
spice-gtk3-0.35-5.el7_9.1|(none) Mon 01 Nov 2021 12:40:05 PM EDT
perl-Digest-MD5-2.52-3.el7|(none) Mon 01 Nov 2021 12:05:15 PM EDT
mesa-filesystem-18.3.4-12.el7_9|(none) Mon 01 Nov 2021 12:38:01 PM EDT"
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2022 12:24 PM

See if the mvfilter function helps.

index=vulnerability "list of packages installed on the remote" myserver.com 
| rex field=output "\n{1,3}\s{2,4}(?<ProgramNameOutput>[^|]+)" max_match=5000 
| eval ProgramNameOutput = mvfilter(match(ProgramNameOutput, "libvirt"))
| table ProgramNameOutput
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2022 12:24 PM

See if the mvfilter function helps.

index=vulnerability "list of packages installed on the remote" myserver.com 
| rex field=output "\n{1,3}\s{2,4}(?<ProgramNameOutput>[^|]+)" max_match=5000 
| eval ProgramNameOutput = mvfilter(match(ProgramNameOutput, "libvirt"))
| table ProgramNameOutput
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

David_M
Explorer
‎11-18-2022 06:20 AM

Well that did the trick Rich!  Thank you...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...