Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to break a value down to partial values as a match or field?

Minasdad
Path Finder
‎07-20-2022 08:43 AM

So I have a field (plugin_output)that has a paragraph of hardware info as one value. The only part of the value I'm concerned with is the "Computer SerialNumber". Is it possible to break this value down into multiple values? I've tried field extraction with no luck, it may be possible to do a string search, but I would also need variables to account for the actual serial number value I want.

<plugin_output> Computer Manufacturer : VMware, Inc. Computer Model : VMware7,1 Computer SerialNumber : VMware-65 6d 69 60 3b 89 2a a0-3b 4e bb 3f 2a 95 2f 49 Computer Type : Other Computer Physical CPU's : 2 Computer Logical CPU's : 4 CPU0 Architecture : x64 Physical Cores: 2 Logical Cores : 2 CPU1 Architecture : x64 Physical Cores: 2 Logical Cores : 2 Computer Memory : 8190 MB RAM slot #0 Form Factor: DIMM Type : DRAM Capacity : 8192 MB </plugin_output>

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Minasdad
Path Finder
‎07-20-2022 09:46 AM

Thanks for you help, I figured it out, building on your rex query. 

sourcetype=tenable:sc:vuln SerialNumber
| rex max_match=0 field=_raw "Computer SerialNumber : (?<ComputerSerialNumber>.+) Computer Type" | table ComputerSerialNumber

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Minasdad
Path Finder
‎07-20-2022 09:46 AM

Thanks for you help, I figured it out, building on your rex query. 

sourcetype=tenable:sc:vuln SerialNumber
| rex max_match=0 field=_raw "Computer SerialNumber : (?<ComputerSerialNumber>.+) Computer Type" | table ComputerSerialNumber

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-20-2022 09:10 AM

(I unlinked your example as it referred to your server)

Can you post the raw event (desensitised of course) in a code block </> so we can see what you are actually dealing with?

If not, try this

| rex "Computer SerialNumber : (?<ComputerSerialNumber>.+) Computer Type"
0 Karma
Reply
Solved! Jump to solution

Minasdad
Path Finder
‎07-20-2022 09:41 AM

Your rex query actually came fairly close to isolating the string, it return every string that started with "Computer" which is alot closer and a much smaller return then the whole value.

0 Karma
Reply
Solved! Jump to solution

Minasdad
Path Finder
‎07-20-2022 09:20 AM

I randomized parts of that value to define a non-existent server.  I posted that example to show that the field had a single value with multiple strings. I'm trying to parse the strings to single out the Serial Number.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-20-2022 09:28 AM

Fair enough (on the randomising) - the problem you appear to have is that there is no clear delimiter between key/value pairs in the string (obviously keys and values appear to be separated by colons). You could expand the rex or have multiple rex commands to anchor the pattern before and after the values you want (as I have shown for the serial number), but unless there is an invisible delimiter, it would be difficult to make it generic.

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...