Splunk Search

How to put 4 field in table view but some field have long sentence so the table view was in organize?

karu0711
Path Finder

I use mvzip command 

index=main sourcetype="ms.356"
| eval nested_payload=mvzip(mvzip(flaw, solution),answer)
| eval nested_payload=split(nested_payload,"--")
| eval flaw=mvindex(nested_payload,0)
| eval solution=mvindex(nested_payload,1)
| eval answer=mvindex(nested_payload,2)
| table flaw solution answer

what I use above command I get all 3 field value in flaw field separated by commons instead of their own field.
what I am doing wrong

Labels (4)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The default separator inserted by the mvzip command is a comma, so try splitting by comma

| eval nested_payload=split(nested_payload,",")
0 Karma

karu0711
Path Finder

but when I use "," it spliting the my value where "," appeared.

in my value I have commas I don't want to split by commas. I want to split by different field only.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Use a delimiter that doesn't appear in your fields, for example:

| eval nested_payload=mvzip(mvzip(flaw, solution,"#"),answer,"#")
| eval nested_payload=split(nested_payload,"#")

 

0 Karma

karu0711
Path Finder
index=main sourcetype="ms.356"
| eval nested_payload=mvzip(flaw, solution, "--")
| mvexpand nested_payload
| eval flaw=mvindex(split(nested_payload,"--"),1)
| eval solution=mvindex(split(nested_payload,"--"),0)
| eval nested_payload=mvzip(answer, COE, "--")
| mvexpand nested_payload
| eval answer=mvindex(split(nested_payload,"--"),1)
| eval COE=mvindex(split(nested_payload,"--"),0)
| table flaw solution answer COE
0 Karma

karu0711
Path Finder

when I use above SPL I get field separately but my flaw and answer field value are repeating. on the first value relating for all.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please can you share an anonymised sample of the log you are trying to extract from?

0 Karma

karu0711
Path Finder
Found 2 issues of Low severity.
CWE-209: Information Exposure Through an Error Message: tiles/error/errorUncaughtMessage.jsp:9
Details: <span> The application calls the javax.servlet.jsp.JspWriter.print() function, which may expose information about the application logic or other 
details such as the names and versions of the application container and associated components.  This information can be useful in executing other attacks 
and can also enable the attacker to target known vulnerabilities in application components. </span> <span>Ensure that error codes or other messages 
returned to end users are not overly verbose.  Sanitize all messages of any sensitive information that is not absolutely necessary.</span> 
<span>References: <a href="https://cwe.mitre.org/data/definitions/209.html">CWE</a></span>
https://downloads.veracode.com/securityscan/cwe/v4/java/209.html
CWE-245: J2EE Bad Practices: Direct Management of Connections: edu/ufl/osg/webmail/prefs/DBPrefsPlugIn.java:172
Details: <span>This call to getConnection() fails to use the J2EE container's resource management facilities as required by the J2EE standard.</span> 
<span>Request the connection from the container rather than attempting to access it directly.</span> <span>References: <a href="https://cwe.mitre.
org/data/definitions/245.html">CWE</a></span>
https://downloads.veracode.com/securityscan/cwe/v4/java/245.html​
Found 2 issues of Low severity.
CWE-209: Information Exposure Through an Error Message: tiles/error/errorUncaughtMessage.jsp:9
Details: <span> The application calls the javax.servlet.jsp.JspWriter.print() function, which may expose information about the application logic or other 
details such as the names and versions of the application container and associated components.  This information can be useful in executing other attacks 
and can also enable the attacker to target known vulnerabilities in application components. </span> <span>Ensure that error codes or other messages 
returned to end users are not overly verbose.  Sanitize all messages of any sensitive information that is not absolutely necessary.</span> 
<span>References: <a href="https://cwe.mitre.org/data/definitions/209.html">CWE</a></span>
https://downloads.veracode.com/securityscan/cwe/v4/java/209.html
CWE-245: J2EE Bad Practices: Direct Management of Connections: edu/ufl/osg/webmail/prefs/DBPrefsPlugIn.java:172
Details: <span>This call to getConnection() fails to use the J2EE container's resource management facilities as required by the J2EE standard.</span> 
<span>Request the connection from the container rather than attempting to access it directly.</span> <span>References: <a href="https://cwe.mitre.
org/data/definitions/245.html">CWE</a></span>
https://downloads.veracode.com/securityscan/cwe/v4/java/245.html
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not clear from this which field is flaw, solution and answer. Please can you show the results of 

| table flaw solution answer

for these events?

0 Karma

karu0711
Path Finder

Flaw field

The application calls the javax.servlet.jsp.JspWriter.print() function, which may expose information about the application logic or other 
details such as the names and versions of the application container and associated components.  This information can be useful in executing other attacks 
and can also enable the attacker to target known vulnerabilities in application components.

Solution field

Ensure that error codes or other messages 
returned to end users are not overly verbose.  Sanitize all messages of any sensitive information that is not absolutely necessary

Answer field

https://cwe.mitre.org/data/definitions/209.html
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So, none of this text includes a hash (#) so use that as your delimiter on the mvzip and split commands (as I suggested earlier)

karu0711
Path Finder

It still putting the field together. But when I use the Below SPL it is separating the fields as I want but first two felids are repeating first event field value. Why is this happening?

index=main sourcetype="ms.356"
| eval nested_payload=mvzip(flaw, solution, "--")
| mvexpand nested_payload
| eval flaw=mvindex(split(nested_payload,"--"),1)
| eval solution=mvindex(split(nested_payload,"--"),0)
| eval nested_payload=mvzip(answer, COE, "--")
| mvexpand nested_payload
| eval answer=mvindex(split(nested_payload,"--"),1)
| eval COE=mvindex(split(nested_payload,"--"),0)
| table flaw solution answer COE
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Because that's how mvexpand works - it duplicates all the fields not being expanded.

karu0711
Path Finder

I am trying to accomplish here is getting all the event value in same row. when I you the table command ther is no row separation each event. Is there any way I can accomplish without using mvzip or mvexpand. and field also need to be searchable form dashboard.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Something like this?

| eval joined=mvappend(flaw,solution,answer)
| eval joined=mvjoin(joined,"
")

karu0711
Path Finder

which query I use this?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=main sourcetype="ms.356"
| eval joined=mvappend(flaw,solution,answer,COE)
| eval joined=mvjoin(joined,"
")
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...