Splunk Search

merge fields

skhedim
Explorer

Hello,

I'm new to the splunk universe, and I need to create a dashboard listing the CVEs (security holes) of a Docker image.

I think my need is feasible via splunk, but I don't know how to proceed. I'll try to go into as much detail as I can.

First of all, I get all these informations for scanning an image in splunk (example: debian)

alt text

I would like to process this information to get a dashboard similar to this one:
https://anchore.io/image/dockerhub/2b98c9851a37e18356abe407922726dc35c370f7cee76f435f94ee92950b4493?...

First, I would like to list all CVE line by line as on the website above. But when I try to do that, I get that result:

alt text

I have a column scrolling around the field with its number, and all this information is on one line. I would like all vulnerabilities_*_vuln fields to be "merged" into a single CVE field, in order to have the same result as on the anchore.io site above

Is it possible via splunk to get this result?

Thank you in advance,

Sincerely.

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

index="poc_anchor" "imagetag=docker.io/debian:latest
| fields index vulnerabilities_*
| untable index attribute value
| rex field=attribute "vulnerability_(?<VulnID>\d+)_(?<name>\w+)"
| chart values(value) over VulnID over name
| table vuln severity package fix url
| rename vuln as "CVE ID" severity as "Severity" package as "Vulnerable Package" fix as "Fix Available" url as "URL"

View solution in original post

0 Karma

somesoni2
Revered Legend

Try like this

index="poc_anchor" "imagetag=docker.io/debian:latest
| fields index vulnerabilities_*
| untable index attribute value
| rex field=attribute "vulnerability_(?<VulnID>\d+)_(?<name>\w+)"
| chart values(value) over VulnID over name
| table vuln severity package fix url
| rename vuln as "CVE ID" severity as "Severity" package as "Vulnerable Package" fix as "Fix Available" url as "URL"
0 Karma

skhedim
Explorer

thanks for the answer, I think it's very close to what I want, though it doesn't return anything. I don't understand the untable line. once I launched the untable line I couldn't do anything in return. Do you know what the problem might be?

0 Karma

skhedim
Explorer

It's working!

I hadn't seen it but it was just missing "ies" at the end of vulnerabilities here:

rex field=attribute "vulnerabilit*ies*(?\d+)(?\w+)"

That's exactly what I wanted, thanks again!

See you later

0 Karma

somesoni2
Revered Legend

What all fields do you get when younrun below query?

index="poc_anchor" "imagetag=docker.io/debian:latest
 | table index vulnerabilities_*

After adding `| unstable index attribute value´ to above you should get a table with 3 columns index attribute value

skhedim
Explorer

Hi,

thanks for your quick answers!

I'm going to clarify what I want to reproduce, I want to get this table with the same columns based on the fields vulnerabilities_x_fix, vulnerabilities_x_vuln, etc.. I want to list every _vuln vulnerability on one line and the same with _fix, etc.

alt text

I think somesoni2's answer is very close to what I want. But I get an error Error in'chart' command: Invalid argument:'over'. if I replace the second over with "by" I have no more error but no result is displayed.

I also tried the JDukeSplunk solution, I get a table, but with only one line.

Do you have any other ideas? Thank you again.

Sincerely.

0 Karma

mayurr98
Super Champion

Okay so you need to extract the vulnerabilities_*_vuln in one field . and then expand it .
can you share one sample event?

0 Karma

JDukeSplunk
Builder

You might want to eval, coalesce. I don't know if this will work..Just spitballing here. You'll have to fill in the additional fields in the eval statements if this works.

index="poc_anchor" "imagetag=docker.io/debian:latest
| eval "vulnerabilities"=coalesce(vulnerabilities_0_vuln,vulnerabilities_10_vuln,vulnerabilities_11_vuln)
| eval "severity"=coalesce(vulnerabilities_0_severity,vulnerabilities_10_severity,vulnerabilities_11_severity)
|stats list(vulnerabilities) as vulnerabilities by severity

Another option would be to create a more generic field extraction with a single name that captures all the CVE-\d+-\d+-\d+- patterns.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...