Hi all
I need to pull into SPlunk more fields from Qualys than the defaults.
I changed the detectionpupulator.py and kppopulator.py scripts to add these fields and they do work - however I have a few challenges with field truncation
Especially the RESULTS fields is severely truncated reduced to just a few characcters from the first line
I am pasting below the details, if anyone had experience with these and can give me hint I would greatly appreciate it
Adding RESULTS field = Main Issue = severely truncated
I changed detectionpopulator.py and added RESULTS as a detection fields to log
detection_fields_to_log = ["QID", "TYPE", "PORT", "PROTOCOL", "SSL", "STATUS", "LAST_UPDATE_DATETIME", "LAST_FOUND_DATETIME","FIRST_FOUND_DATETIME", "LAST_TEST_DATETIME", "RESULTS"]
This works fine but the RESULTS field is severely truncated – it only contains the first few characters up to 10-20, always only form the first line.(I tried to change self.truncation_limit but that doesn’t seem to make any difference)
Question: how do I change this so that it will parse the full RESULTS field?
Similar question for the SOLUTION field
I added in kbpopulator.py three additional fields. They are getting parsed fine but the SOLUTION field is still being truncated after 2000-3000 characters....and they want it all 🙂
QID_EXTRA_FIELDS_TO_LOG = ["VULN_TYPE", "PATCHABLE", "PCI_FLAG", "TITLE", "CATEGORY", "DIAGNOSIS", "CONSEQUENCE", "SOLUTION", "PUBLISHED_DATETIME"]
Question: basically same question for the SOLUTION field – how can I make sure the field is not truncated
HTML tags in SOLUTION field – any way to get rid of them?
The SOLUTION field will have a lot of hyperlinks, the data comes in with all the HTML tags so it’s obviously hard to read and much lengthier
Any way these tags can be stripped during the file parsing?
Thank you in advance
... View more