Hi all,
How to extract the fields UDP_PORT and TCP_PORT from this result?
FIXED_SEVERITY_3=10, FIXED_SEVERITY_2=14, CONFIRMED_SEVERITY_2=13, CONFIRMED_SEVERITY_3=9, CONFIRMED_SEVERITY_1=3, ACTIVE_SEVERITY_3=2, CONFIRMED_SEVERITY_4=1, ACTIVE_SEVERITY_1=1, SCAN_DURATION=1647, UDP_PORT=123, UDP_PORT=514, TCP_PORT=22, TCP_PORT=514, TCP_PORT=5520, TCP_PORT=8000, TOTAL_VULNS=46
Like this
... | rex max_match=0 "UDP+PORT=(?<udp>\d+)" | rex max_match=0 "TCP_PORT=(?<tcp>\d+)" | eval z=mvzip(udp, tcp) | mvexpand z | table udp tcp
One of these should do.
... | rex max_match=0 "UDP_PORT=(?<UPD_PORT>\d+)|TCP_PORT=(?<TCP_PORT>\d+)" | ...
... | extract mv_add=true kvdelim='=' pairdelim=',' | ...
Both will produce multi-value fields for each type of port, which you can then process using the mv* commands.
Like this
... | rex max_match=0 "UDP+PORT=(?<udp>\d+)" | rex max_match=0 "TCP_PORT=(?<tcp>\d+)" | eval z=mvzip(udp, tcp) | mvexpand z | table udp tcp