Splunk Search

brake out individual row by host repeated for each line

youngsuh
Path Finder

Here is what I've done.  How to break out the results into individual software correctly in Splunk.  Any tips could be helpful.  Here is the regex being used for software_name and software_version.

 

 

| rex max_match=100 field=pluginText "\n+(?<software_name>[^[].*)\s\s\[version\s\d"
| rex max_match=100 field=pluginText "\s\s\[version\s(?<software_version>[^[]*.)\]"
| stats values(software_name) as software_name values(software_version) as software_version by dest

 

 

 

Here is the text being rex to field value.

Spoiler
<plugin_output>
The following software are installed on the remote host :

McAfee Agent  [version 5.6.6.232]
Mozilla Firefox 84.0.2 (x64 en-US)  [version 84.0.2]
Mozilla Maintenance Service  [version 84.0.2]
The following updates are installed :

Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 :
  KB2151757  [version 1]  [installed on 3/23/2020]
  KB2467173  [version 1]  [installed on 3/23/2020]
  KB2565063  [version 1]  [installed on 9/10/2020]
  KB982573  [version 1]  [installed on 3/23/2020]
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 :
  KB2151757  [version 1]  [installed on 3/23/2020]
  KB2467173  [version 1]  [installed on 3/23/2020]
  KB2565063  [version 1]  [installed on 3/23/2020]
  KB982573  [version 1]  [installed on 3/23/2020]
</plugin_output>

I want to break out the results to induvial line with the host repeated.  But, I don't know where to start.  I'd try mvexpan function but, it doesn't break out the correct pair of data.

Labels (3)
Tags (2)
0 Karma

to4kawa
SplunkTrust
SplunkTrust
| makeresults 
| eval _raw="<plugin_output>
The following software are installed on the remote host :

McAfee Agent  [version 5.6.6.232]
Mozilla Firefox 84.0.2 (x64 en-US)  [version 84.0.2]
Mozilla Maintenance Service  [version 84.0.2]
The following updates are installed :

Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 :
  KB2151757  [version 1]  [installed on 3/23/2020]
  KB2467173  [version 1]  [installed on 3/23/2020]
  KB2565063  [version 1]  [installed on 9/10/2020]
  KB982573  [version 1]  [installed on 3/23/2020]
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 :
  KB2151757  [version 1]  [installed on 3/23/2020]
  KB2467173  [version 1]  [installed on 3/23/2020]
  KB2565063  [version 1]  [installed on 3/23/2020]
  KB982573  [version 1]  [installed on 3/23/2020]
</plugin_output>" 
| multikv noheader=t 
| where !match(_raw,"^\<.*") 
| streamstats count(eval(match(_raw,"The following"))) as session 
| rex "(?<software>.* )\[version (?<version>[^\]]+)" 
| where !match(_raw,"The following") 
| rex "(?<master>.*) :" 
| filldown master 
| fillnull master value="-" 
| stats values(master) as master by software version

to4kawa
SplunkTrust
SplunkTrust
index="tenable" sourcetype="tenable:sc:vuln" plugin_id=42760 
| multikv noheader=t 
| where !match(_raw,"^\<.*") 
| streamstats count(eval(match(_raw,"The following"))) as session 
| rex "(?<software>.* )\[version (?<version>[^\]]+)" 
| where !match(_raw,"The following") 
| rex "(?<master>.*) :" 
| filldown master 
| fillnull master value="-" 
| stats values(master) as master by software version

 

0 Karma

youngsuh
Path Finder

@to4kawa 

In reviewing your SPL.  Look like I didn't provided enough information.  I'd get the plugintext has field from a SPL search like so.

index="tenable" sourcetype="tenable:sc:vuln" plugin_id=42760 
| rex max_match=100 field=pluginText "\n+(?<software_name>[^[].*)\s\s\[version\s\d"
| rex max_match=100 field=pluginText "\s\s\[version\s(?<software_version>[^[]*.)\]"
| stats values(software_name) as software_name values(software_version) as software_version by dest

 I'd gave your SPL try to pipe the results  with no luck.  My SPL still is still elementary.  Additional help would appreciated.

0 Karma