Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract just one field from a log when there are multiple that carry the same attribute name? - Regular Expression

evang_26
Communicator
‎02-16-2015 09:15 AM

Hi all,

I am filtering some logs came from Nessus in order to identify vulnerable machines based on their OS, and the issue I have is when a host's OS is not adequately identified resulting in many "os" fields. An example is the below:

start_time="Mon Feb 16 03:56:07 2015"
end_time="Mon Feb 16 03:57:42 2015"
os="Microsoft Windows 2000" os="Microsoft Windows XP for Embedded Systems" os="Microsoft
Windows XP"

The query that I created for that (which only works sufficiently when 1 OS is found) is the following:

sourcetype=nessus severity!=informational  | rex "start_time=\"(?<start>.*)\"\send.*\s\sos=\"(?<OS>.*)\""

What I would like ideally to do, is to just find a way to filter out the " (double quote" symbol from within the extracted field. This is because apart from Windows machines, there are other printers and access points that are interpreted as many other mixed OSs.

So, it should be something like this:

sourcetype=nessus severity!=informational  | rex "start_time=\"(?<start>.*)\"\send.*\s\sos=\"(?<OS>.*[^\"])\""

but it doesn't work.

Any thoughts?

Regards,
Evang

Update:

Hi MuS,

Okay, here we are.

I guess I haven't stated my problem correctly. I do not want to remove the double quotes, actually, I want to only keep the first occurence of OS field in the rare cases that more than one appears!

Here is what I managed to do with sed, but I am not there quite yet.

sourcetype=nessus severity!=informational earliest=-5w@w1 latest=now|rex field=os mode=sed "s/.*\(os=\"[^\"]*\"\).*$/\1/g" | rex ".*os=\"(?P<OS>.*)\"\s.*\""

Any suggestions? 🙂

Regards,
Evang

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎02-16-2015 10:19 AM

Hi evang_26,

Okay after reading the update, it makes sense, try this:

sourcetype=nessus severity!=informational  | rex max_match=1 "start_time=\"(?<start>.*)\"\send.*\s\sos=\"(?<OS>[\w+\s]+)\"

This will match only one occurrence for each field in the regex

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

ramdaspr
Contributor
‎02-16-2015 04:05 PM

Can you add an example of how you would like the output to look like?
The solution provided by MuS would give you the output without any double quotes, but its not really clear if thats what your intention is or if you would like to create a multivalue field with all the different OS's added.

0 Karma
Reply
Solved! Jump to solution

evang_26
Communicator
‎02-17-2015 03:17 AM

Hi ramdaspr,

To be honest, as I stated on MuS's answer, my problem wasn't sufficiently clarified. I want to keep just the first occurrence of OS field in case there are more than one. This way, the dashboard want look overwhelmed by huge tags, will look prettier and in fact, Nessus orders OS guesses based on probability.

Look below MuS's answer my comment and my attempt.

Regards,
Evang

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎02-16-2015 10:19 AM

Hi evang_26,

Okay after reading the update, it makes sense, try this:

sourcetype=nessus severity!=informational  | rex max_match=1 "start_time=\"(?<start>.*)\"\send.*\s\sos=\"(?<OS>[\w+\s]+)\"

This will match only one occurrence for each field in the regex

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

evang_26
Communicator
‎02-17-2015 03:14 AM

Hi MuS,

Okay, here we are.

I guess I haven't stated my problem correctly. I do not want to remove the double quotes, actually, I want to only keep the first occurence of OS field in the rare cases that more than one appears!

Here is what I managed to do with sed, but I am not there quite yet.

sourcetype=nessus severity!=informational earliest=-5w@w1 latest=now|rex field=os mode=sed "s/.*\(os=\"[^\"]*\"\).*$/\1/g" | rex ".*os=\"(?P<OS>.*)\"\s.*\""

Any suggestions? 🙂

Regards,
Evang

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎02-17-2015 03:26 AM

Okay, now it makes sense, try this:

sourcetype=nessus severity!=informational  | rex max_match=1 "start_time=\"(?<start>.*)\"\send.*\s\sos=\"(?<OS>[\w+\s]+)\"

This will match only one occurrence for each field in the regex

Reply
Solved! Jump to solution

evang_26
Communicator
‎02-17-2015 04:23 AM

Hi MuS,

It worked perfectly!

Thanks you very much!

Regards,
Evang

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎02-17-2015 04:35 AM

you're welcome, I've updated your question and my answer so it makes sense 😉

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-16-2015 10:17 AM

You were so close. Try this.

... | rex "start_time=\"(?P<start>.*)\"\send.*\sos=\"(?P<OS>[^\"]*?)\""
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

evang_26
Communicator
‎02-17-2015 02:58 AM

Hi richgallowway,

I already tried this, placing the [] in front and on the end, no luck.

Regards,
Evang

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...