Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- brake out individual row by host repeated for each...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
brake out individual row by host repeated for each line
youngsuh
Contributor
01-22-2021
10:00 AM
Here is what I've done. How to break out the results into individual software correctly in Splunk. Any tips could be helpful. Here is the regex being used for software_name and software_version.
| rex max_match=100 field=pluginText "\n+(?<software_name>[^[].*)\s\s\[version\s\d"
| rex max_match=100 field=pluginText "\s\s\[version\s(?<software_version>[^[]*.)\]"
| stats values(software_name) as software_name values(software_version) as software_version by dest
Here is the text being rex to field value.
Spoiler
<plugin_output>
The following software are installed on the remote host :
McAfee Agent [version 5.6.6.232]
Mozilla Firefox 84.0.2 (x64 en-US) [version 84.0.2]
Mozilla Maintenance Service [version 84.0.2]
The following updates are installed :
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 :
KB2151757 [version 1] [installed on 3/23/2020]
KB2467173 [version 1] [installed on 3/23/2020]
KB2565063 [version 1] [installed on 9/10/2020]
KB982573 [version 1] [installed on 3/23/2020]
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 :
KB2151757 [version 1] [installed on 3/23/2020]
KB2467173 [version 1] [installed on 3/23/2020]
KB2565063 [version 1] [installed on 3/23/2020]
KB982573 [version 1] [installed on 3/23/2020]
</plugin_output>I want to break out the results to induvial line with the host repeated. But, I don't know where to start. I'd try mvexpan function but, it doesn't break out the correct pair of data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
01-23-2021
09:00 PM
| makeresults
| eval _raw="<plugin_output>
The following software are installed on the remote host :
McAfee Agent [version 5.6.6.232]
Mozilla Firefox 84.0.2 (x64 en-US) [version 84.0.2]
Mozilla Maintenance Service [version 84.0.2]
The following updates are installed :
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 :
KB2151757 [version 1] [installed on 3/23/2020]
KB2467173 [version 1] [installed on 3/23/2020]
KB2565063 [version 1] [installed on 9/10/2020]
KB982573 [version 1] [installed on 3/23/2020]
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 :
KB2151757 [version 1] [installed on 3/23/2020]
KB2467173 [version 1] [installed on 3/23/2020]
KB2565063 [version 1] [installed on 3/23/2020]
KB982573 [version 1] [installed on 3/23/2020]
</plugin_output>"
| multikv noheader=t
| where !match(_raw,"^\<.*")
| streamstats count(eval(match(_raw,"The following"))) as session
| rex "(?<software>.* )\[version (?<version>[^\]]+)"
| where !match(_raw,"The following")
| rex "(?<master>.*) :"
| filldown master
| fillnull master value="-"
| stats values(master) as master by software version- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
01-28-2021
12:38 PM
index="tenable" sourcetype="tenable:sc:vuln" plugin_id=42760
| multikv noheader=t
| where !match(_raw,"^\<.*")
| streamstats count(eval(match(_raw,"The following"))) as session
| rex "(?<software>.* )\[version (?<version>[^\]]+)"
| where !match(_raw,"The following")
| rex "(?<master>.*) :"
| filldown master
| fillnull master value="-"
| stats values(master) as master by software version
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
youngsuh
Contributor
01-27-2021
10:13 AM
In reviewing your SPL. Look like I didn't provided enough information. I'd get the plugintext has field from a SPL search like so.
index="tenable" sourcetype="tenable:sc:vuln" plugin_id=42760
| rex max_match=100 field=pluginText "\n+(?<software_name>[^[].*)\s\s\[version\s\d"
| rex max_match=100 field=pluginText "\s\s\[version\s(?<software_version>[^[]*.)\]"
| stats values(software_name) as software_name values(software_version) as software_version by destI'd gave your SPL try to pipe the results with no luck. My SPL still is still elementary. Additional help would appreciated.
Get Updates on the Splunk Community!
Splunk Observability for AI
Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights!
Duration: ...
Splunk Observability as Code: From Zero to Dashboard
For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...
