Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Is it possible to break a value down to partia...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I have a field (plugin_output)that has a paragraph of hardware info as one value. The only part of the value I'm concerned with is the "Computer SerialNumber". Is it possible to break this value down into multiple values? I've tried field extraction with no luck, it may be possible to do a string search, but I would also need variables to account for the actual serial number value I want.
<plugin_output> Computer Manufacturer : VMware, Inc. Computer Model : VMware7,1 Computer SerialNumber : VMware-65 6d 69 60 3b 89 2a a0-3b 4e bb 3f 2a 95 2f 49 Computer Type : Other Computer Physical CPU's : 2 Computer Logical CPU's : 4 CPU0 Architecture : x64 Physical Cores: 2 Logical Cores : 2 CPU1 Architecture : x64 Physical Cores: 2 Logical Cores : 2 Computer Memory : 8190 MB RAM slot #0 Form Factor: DIMM Type : DRAM Capacity : 8192 MB </plugin_output>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for you help, I figured it out, building on your rex query.
sourcetype=tenable:sc:vuln SerialNumber
| rex max_match=0 field=_raw "Computer SerialNumber : (?<ComputerSerialNumber>.+) Computer Type" | table ComputerSerialNumber
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for you help, I figured it out, building on your rex query.
sourcetype=tenable:sc:vuln SerialNumber
| rex max_match=0 field=_raw "Computer SerialNumber : (?<ComputerSerialNumber>.+) Computer Type" | table ComputerSerialNumber
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(I unlinked your example as it referred to your server)
Can you post the raw event (desensitised of course) in a code block </> so we can see what you are actually dealing with?
If not, try this
| rex "Computer SerialNumber : (?<ComputerSerialNumber>.+) Computer Type"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your rex query actually came fairly close to isolating the string, it return every string that started with "Computer" which is alot closer and a much smaller return then the whole value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I randomized parts of that value to define a non-existent server. I posted that example to show that the field had a single value with multiple strings. I'm trying to parse the strings to single out the Serial Number.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fair enough (on the randomising) - the problem you appear to have is that there is no clear delimiter between key/value pairs in the string (obviously keys and values appear to be separated by colons). You could expand the rex or have multiple rex commands to anchor the pattern before and after the values you want (as I have shown for the serial number), but unless there is an invisible delimiter, it would be difficult to make it generic.
Community Content Calendar, November Edition
October Community Champions: A Shoutout to Our Contributors!
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
