Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Problems extracting field with multiple values

jambajuice
Communicator
‎01-12-2011 09:28 PM

I am trying to parse a bunch of Nessus vulnerability plugin files and extract the CVE and OSVDB reference IDs from each file. Each file is treated as a single event.

The format of the data is different for each plugin (probably because they were written by different people). Here are some samples:

script_cve_id("CVE-2010-4344");

script_cve_id("CVE-2010-3766", "CVE-2010-3767", "CVE-2010-3768", "CVE-2010-3770", "CVE-2010-3771", "CVE-2010-3772", "CVE-2010-3773", "CVE-2010-3774", "CVE-2010-3775", "CVE-2010-3776", "CVE-2010-3777", "CVE-2010-3778");

script_cve_id(
    "CVE-2010-3512",
    "CVE-2010-3514",
    "CVE-2010-3544",
    "CVE-2010-3545"
  );

I've tried the following transforms to capture the events, but only a single CVE ID is showing up for each one:

[nessus_plugins_cve]
REGEX = (?mi)script_cve_id\(\s*"CVE-(?P<cve_id>\d+-\d+)(?=",*)
FORMAT = cve_id::$1
MV_ADD = true

Why isn't my regex capturing more than one CVE reference?

Thx.

Craig

Tags (1)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎01-12-2011 09:52 PM

Your regex won't work with MV_ADD, primarily because you have anchored it to the 'script_cve_id'.

Try:

REGEX = (?mi)\"CVE-(?<cve_id>\d+-\d+)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎01-12-2011 11:19 PM

Nope, there isn't really another way to do it. You might try negative look ahead/behind regex, but those are tricky and expensive. In my Nessus app, there are quite a few quandaries like this due to the sub-optimal structure of the .nessus files. More often than not, I extract out the whole CVE list as a field, then extract each entry from this field as another multivalued field.

0 Karma
Reply

jambajuice
Communicator
‎01-12-2011 10:05 PM

The problem is that some other parts of the plugin configuration make references to CVE numbers that may or may not be associated with that particular plugin.

Is there any way to extract multiple events if it's anchored to "script_cve_id"? Worst case scenario I can capture the entire contents of that field and extract them at search time, but I'd rather not if I don't have to...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...