Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Problems extracting field with multiple values

jambajuice
Communicator
‎01-12-2011 09:28 PM

I am trying to parse a bunch of Nessus vulnerability plugin files and extract the CVE and OSVDB reference IDs from each file. Each file is treated as a single event.

The format of the data is different for each plugin (probably because they were written by different people). Here are some samples:

script_cve_id("CVE-2010-4344");

script_cve_id("CVE-2010-3766", "CVE-2010-3767", "CVE-2010-3768", "CVE-2010-3770", "CVE-2010-3771", "CVE-2010-3772", "CVE-2010-3773", "CVE-2010-3774", "CVE-2010-3775", "CVE-2010-3776", "CVE-2010-3777", "CVE-2010-3778");

script_cve_id(
    "CVE-2010-3512",
    "CVE-2010-3514",
    "CVE-2010-3544",
    "CVE-2010-3545"
  );

I've tried the following transforms to capture the events, but only a single CVE ID is showing up for each one:

[nessus_plugins_cve]
REGEX = (?mi)script_cve_id\(\s*"CVE-(?P<cve_id>\d+-\d+)(?=",*)
FORMAT = cve_id::$1
MV_ADD = true

Why isn't my regex capturing more than one CVE reference?

Thx.

Craig

Tags (1)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎01-12-2011 09:52 PM

Your regex won't work with MV_ADD, primarily because you have anchored it to the 'script_cve_id'.

Try:

REGEX = (?mi)\"CVE-(?<cve_id>\d+-\d+)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎01-12-2011 11:19 PM

Nope, there isn't really another way to do it. You might try negative look ahead/behind regex, but those are tricky and expensive. In my Nessus app, there are quite a few quandaries like this due to the sub-optimal structure of the .nessus files. More often than not, I extract out the whole CVE list as a field, then extract each entry from this field as another multivalued field.

0 Karma
Reply

jambajuice
Communicator
‎01-12-2011 10:05 PM

The problem is that some other parts of the plugin configuration make references to CVE numbers that may or may not be associated with that particular plugin.

Is there any way to extract multiple events if it's anchored to "script_cve_id"? Worst case scenario I can capture the entire contents of that field and extract them at search time, but I'd rather not if I don't have to...

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...