I need to extract cveid, cvss, vulnerability number, etc..
here is my log:
......
cveid="1234"
cvss= "abcd"
.........
cveid="34"
cvss= "abdfd"
.........
cveid="153534"
cvss= "abgdd"
.........
cveid="122344"
cvss= "adfscd"
.....................................
and much more further in one event.
thank you for your help
@sphc, since you have upvoted both answers, requesting you to accept the one which you are using.
The easiest way to do this is:
|makeresults | eval _raw="cveid=\"1234\"
cvss= \"abcd\"
cveid=\"34\"
cvss= \"abdfd\"
cveid=\"153534\"
cvss= \"abgdd\"
cveid=\"122344\"
cvss= \"adfscd\""
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex mode=sed "s/\s*=\s*/=/g"
| kv mv_add=t
Then you can use mvzip
to join them together and mvexpand
to create separate events with joined-pairs (if that is what you need).
As far as every cveid
has corresponding cvss
you can try the following approach:
PS: First two pipes i.e. makeresult
and eval
are to mock data as per your question, you need to plug in commands from rex
onward to your existing base search:
| makeresults
| eval _raw="......
cveid=\"1234\"
cvss= \"abcd\"
.........
cveid=\"34\"
cvss= \"abdfd\"
.........
cveid=\"153534\"
cvss= \"abgdd\"
.........
cveid=\"122344\"
cvss= \"adfscd\""
| rex "cveid=\"(?<cveid>[^\"]+)\"" max_match=0
| rex "cvss=\s\"(?<cvss>[^\"]+)\"" max_match=0
| table cveid cvss
| mvexpand cvss
| eval counter=1
| accum counter
| eval cveid=mvindex(cveid,counter-1)
| fields - counter
Which value belongs to which field in your log?
Log is look like :
......
cveid="1234"
cvss= "abcd"
.........
cveid="34"
cvss= "abdfd"
.........
cveid="153534"
cvss= "abgdd"
.........
cveid="122344"
cvss= "adfscd"
and so on