Splunk Search

makemv delim carriage return problem...

TorbinIT
Path Finder

I've got a bit of a weird situation and I don't have the Splunk technical know-how to fix it myself, so I thought I'd put it here and see if someone else has a solution. I'm using a search

| inputlookup CISOVRMTier0Unixweekly.csv
| search pluginName IN ("*Java*" "*java*") NOT pluginID IN (83186 83186 87011 87171 87312 90709 92606 94511 96610 96803 138506 139583 140504)
| rex field=pluginText "remote host :[\r\n][\r\n](?<pluginText1>[\w\W]*)"
| rex field=pluginText "Remote package installed : (?<RHEL>.+)" max_match=0
| makemv delim="

" pluginText1
| mvexpand pluginText1
| rex field=pluginText1 "Path : (?<Path>.+)" max_match=0
| rex field=pluginText1 "Installed version : (?<Installed>.+)" max_match=0
| fillnull value=NULL Path
| eval Installed=case(Path="NULL",RHEL, 1=1, Installed)
| mvexpand Path
| eval patchPubDate=strptime(patchPubDate, "%m/%d/%Y")
| stats min(patchPubDate) as patchPubDate last(dnsName) as dnsName last(netbiosName) as netbiosName max(vprScore) as vprScore values(Name) as Name values(macAddress) as macAddress values(EIR) as EIR values(Acronym) as Acronym values(Environment) as Environment values(CMDB-OS) as CMDB-OS values(PortfolioMgr) as PortfolioMgr values(ProgMgr) as ProgMgr values(SCMgr) as SCMgr values(SCBPL) as SCBPL values(ISSO) as ISSO values(CMDB_Name) as CMDB_Name values(HostName) as HostName by Path Installed ip operatingSystem
| eval patchPubDate=strftime(patchPubDate, "%x")
| table CMDB_Name HostName ip Path Installed operatingSystem vprScore patchPubDate Name dnsName macAddress EIR Acronym Environment CMDB-OS PortfolioMgr ProgMgr SCMgr SCBPL ISSO

Which works great, but I don't like the part that reads:

| makemv delim="

" pluginText1


Which exists to represent two carriage returns, but I don't know what I could do to replace it. I've tried variations of [\r\n] and they don't seem to work, and I don't know what I'm doing wrong. Can someone offer me some suggestions or ideas?

Labels (1)
0 Karma

lekanneer
Loves-to-Learn Lots

This is why I developed a solution to overcome the problem of lookups and/or indexes and/or complex searches. My solution is using a Neo4j graph database in between the source of the information and Splunk. The good thing of the graph database is that it is capable of searching for relationships or the lack of relationships. So you can even combine several sources to give you the context that you need.

I wrote a post about that recently: SOCs: why they struggle with context 

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...