Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Suggestions for Tenable .csv field extraction

Minasdad
Path Finder
‎07-14-2022 03:06 PM

Within the tenable:sc:vuln sourcetype there is a particular field "PluginText" that has a value for hardware serial numbers. Overall I'm looking for any source type that provides that data, but extracting "SerialNumber" as a field from "PluginText" is frustrating. Any advice would be appreciated.

Labels (1)
Labels
0 Karma
Reply

Minasdad
Path Finder
‎07-18-2022 10:56 AM

Sample Data:

 pluginText: <plugin_output>

Computer Manufacturer : XXX 

Computer SerialNumber : VMware- XXX

Computer Type : Other Computer

</plugin_output>

 

I wish to extract only the Computer Serial Number Field.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-18-2022 11:07 AM

Can you explain the frustration you had when trying to extract?  Assuming that pluginText is already extracted into a field, you can do something like

| spath input=pluginText ``` this gives you a field plugin_output ```
| rex field=plugin_output "Computer SerialNumber: (?<serialNumber>.+)"

Alternatively, extract all key-value pairs from plugin_output using

| spath input=pluginText ``` this gives you a field plugin_output ```
| rename _raw AS saved_raw, plugin_output AS _raw
| kv kvdelim=" : "
| rename saved_raw as _raw

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-17-2022 04:18 PM

Pro tip:

  1. Do not use deeply vertical/industry specific/application specific terms in title.
  2. When using such specific sources, illustrate sample data (sanitize as necessary).  This is a Splunk board, most people will not know what tenable:sc:vuln look like. (Source type also has no general meaning outside that particular application.)
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...