Solved: Making a delimited multivalue field using props an...

Robbie1194 · ‎09-05-2017

Hi Guys,

I'm using the qualys TA to extract VM data and I'm having some issues with making a multi value field out of the "cve" field qualys use.

My "cve" field has values like:

"CVE-2017-3003, CVE-2017-3002, CVE-2017-3001, CVE-2017-3000, CVE-2017-2999, CVE-2017-2998, CVE-2017-2997"
OR
"CVE-2013-1346"
OR
"CVE-2015-2808, CVE-2013-2566"

My goal is to make it when I search for a single CVE (such as CVE-2017-3000), hosts with that cve will be shown. However, currently it will only show the host if my search matches the full value for the cve field which could be over 20 cve values. (Sorry if that doesn't make sense, It's quite hard to explain without visualisations but I've not got enough karma to upload pictures.)

I want to use transforms and props to configure this extraction at search time. I have my regex working to capture each individual CVE.

I've been trying for a while now to no avail, could someone please show me what my transforms and props needs? Currently I have...

props.conf

[qualys:hostDetection]
REPORT-cve = mv-cve

transforms.conf

[mv-cve]
REGEX = cve=(?CVE-\d+-\d+) (I've tried this line without the "cve=" but it shows an example with it in the docs)
FORMAT = cve::$1 (I don't fully understand what this line is doing, I don't think the docs are very clear)
MV_ADD= true

Any help would be greatly appreciated, cheers.

woodcock · ‎09-10-2017

Here is a nifty trick for cases like that that avoids creating a multivalue field (an approach that over-complicates things and can create other problems):

|makeresults | eval raw="CVE-2017-3003, CVE-2017-3002, CVE-2017-3001, CVE-2017-3000, CVE-2017-2999, CVE-2017-2998, CVE-2017-2997::CVE-2013-1346::CVE-2015-2808, CVE-2013-2566"
| makemv delim="::" raw
| mvexpand raw
| rename raw AS _raw
| eval cve=_raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| search CVE-2017-3000
| rename COMMENT AS "This has all the potential matches"
| where mvcount(split(cve, "CVE-2017-3000"))=2
| rename COMMENT AS "Now you have all the real matches"

The nice thing about this is that if you can use either a string literal inside the split command or a field name!

View solution in original post

woodcock · ‎09-10-2017

Here is a nifty trick for cases like that that avoids creating a multivalue field (an approach that over-complicates things and can create other problems):

|makeresults | eval raw="CVE-2017-3003, CVE-2017-3002, CVE-2017-3001, CVE-2017-3000, CVE-2017-2999, CVE-2017-2998, CVE-2017-2997::CVE-2013-1346::CVE-2015-2808, CVE-2013-2566"
| makemv delim="::" raw
| mvexpand raw
| rename raw AS _raw
| eval cve=_raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| search CVE-2017-3000
| rename COMMENT AS "This has all the potential matches"
| where mvcount(split(cve, "CVE-2017-3000"))=2
| rename COMMENT AS "Now you have all the real matches"

The nice thing about this is that if you can use either a string literal inside the split command or a field name!

prabhasgupte · ‎09-07-2017

Can this be of any help to you? Replace the CVE with input token or change it to whichever you are searching for.
eventtype="qualys_vm_detection_event" cve=*CVE-2016-5554* | dedup 1 HOST_ID, QID | table HOST_ID, IP, QID, cve

Change the query as per your need.

somesoni2 · ‎09-05-2017

Have a look at these

https://wiki.splunk.com/Community:Comma-Separated_Multi-Value_Field_Extraction_In_Single-line_Event
https://answers.splunk.com/answers/112311/multi-value-field-extraction.html

Robbie1194 · ‎09-06-2017

Hi somesoni2,

Thanks for the links but I've already looked at them and they didn't help too much. I don't really understand why my configs aren't working! :'(

Making a delimited multivalue field using props and transforms - qualys TA

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!