Has anyone had an issue with the qualys-technology-add-on-ta-for-splunk_134 TA that started today? It looks like the API is pulling a new field VECTOR_STRING and the parsing script can not handle it. This is an example of the same QID from 12/18/2018 <BASE source="service">5</BASE> <TEMPORAL>3.6</TEMPORAL> </CVSS> <PCI_FLAG>1</PCI_FLAG> <THREAT_INTELLIGENCE> <THREAT_INTEL id="5"><![CDATA[Easy_Exploit]]></THREAT_INTEL> <THREAT_INTEL id="8"><![CDATA[No_Patch]]></THREAT_INTEL> </THREAT_INTELLIGENCE> <DISCOVERY> <REMOTE>1</REMOTE> </DISCOVERY> </VULN> <VULN> <QID>32</QID>' Here is the one from today <BASE source="service">5</BASE> <TEMPORAL>3.6</TEMPORAL> **<VECTOR_STRING>CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:W/RC:UC</VECTOR_STRING>** </CVSS> <PCI_FLAG>1</PCI_FLAG> <THREAT_INTELLIGENCE> <THREAT_INTEL id="5"><![CDATA[Easy_Exploit]]></THREAT_INTEL> <THREAT_INTEL id="8"><![CDATA[No_Patch]]></THREAT_INTEL> </THREAT_INTELLIGENCE> <DISCOVERY> <REMOTE>1</REMOTE> </DISCOVERY> </VULN> <VULN> <QID>32</QID> Here are the error logs TA-QualysCloudPlatform: 2018-12-20 12:35:54 PID=68179 [MainThread] ERROR: TA-QualysCloudPlatform (knowledge_base) - could not load API response. Reason: dict contains fields not in fieldnames: 'CVSS_VECTOR_STRING' ValueError: dict contains fields not in fieldnames: 'CVSS_VECTOR_STRING' + ", ".join([repr(x) for x in wrong_fields])) File "/splunk/apps/splunk/lib/python2.7/csv.py", line 148, in _dict_to_list return self.writer.writerow(self._dict_to_list(rowdict)) File "/splunk/apps/splunk/lib/python2.7/csv.py", line 152, in writerow writer.writerow(self._qids[qid]) File "/splunk/apps/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/kbpopulator.py", line 133, in _post_parse self._post_parse() File "/splunk/apps/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/basepopulator.py", line 287, in _parse parseresponse = self._parse(response.file_name) File "/splunk/apps/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/basepopulator.py", line 134, in __fetch_and_parse TA-QualysCloudPlatform: 2018-12-20 12:35:54 PID=68179 [MainThread] DEBUG: TA-QualysCloudPlatform (knowledge_base) - Exception while parsing. dict contains fields not in fieldnames: 'CVSS_VECTOR_STRING' :: Traceback (most recent call last): ... View more

I am trying to extract all IP addresses from _raw with a field name of rf_ip so that I can use this value to do a lookup for any IP in the logs that match, but I seem to have something configured incorrectly. I have tested the regex in regex101 and within splunk using: | rex field=_raw "(?<"rf_ip">\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)" max_match=0 (I have "" around <"rf_ip"> so it will show up in the forum) Here are my configs: On HFs transforms.conf [rf_ip] 1. REGEX = (?<"rf_ip">\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b) (I have "" around <"rf_ip"> so it will show up in the forum) 2. SOURCE_KEY = _raw 3. MV_ADD = true 4. CAN_OPTIMIZE = false props.conf [infoblox:dns] TRANSFORMS-rfip = rf_ip ES search head /etc/system/local fields.conf [rf_ip] INDEXED = True Splunk design: Universal forwarders or syslog => HF => indexers => ES search head ... View more

Below is an example from an access.log that I am trying to extract the productList from. The number of products numbers change for each request. i.e. some may have 1 product number some may have 5. I need some help in extracting the productList separately. 2013-12-31 12:30:53 0.0010 0 - 204.107.141.40 GET /open-sounthing/compete.html?pagename=myco:getsomething:page7:goodjob&differentinfo=someinfo&productList=4004,4102,4107 200 I would like to be able to pull out the productList and rename them by number to use in pivot 4004= corn 4102= viper 4107= dog ... View more