Solved: Rex extraction of fields

leagawa · ‎12-07-2017

I have the following CVE results form a vulnerability report and would like to extract the CVEs to individual CVEs on a separate field.

ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737

please assist on how to extract using REX and dump the indivual CVEs like CVE-2017-8708 and so on to a separate field

niketn · ‎12-07-2017

@leagawa, try the following run anywhere search based on your sample data:

| makeresults
| eval _raw="ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737"
| rex "(?<CVE>CVE[^C]+)" max_match=0
| mvexpand CVE
| table CVE
| eval CVE=rtrim(CVE,"-")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

leagawa · ‎12-08-2017

Thank you all for the quick response. All the above REGEX worked but the one that gave me the exact results that i needed was the second andswer. I was able to replace the eval _raw with other fields where the data resided in other formats and still got the CVE-- extracted.

woodcock · ‎12-07-2017

Like this:

| makeresults
 | eval _raw="ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737"
 | eval CVE=split(_raw, "CVE-")
 | eval CVE=mvfilter(NOT match(CVE, "^ADV\d+-"))
 | rex field=CVE mode=sed "s/-$//"

harsmarvania57 · ‎12-07-2017

Hi @leagawa,

You can try this regex -(?<CVE>[^-]*\-[^-]*\-[^-]*) so based on sample data which you have provided I have created below query, first 2 lines are used to generate dummy data.

 | makeresults
 | eval _raw="ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737"
 | rex "-(?<CVE>[^-]*\-[^-]*\-[^-]*)" max_match=0
 | table CVE
 | mvexpand CVE

niketn · ‎12-07-2017

@leagawa, try the following run anywhere search based on your sample data:

| makeresults
| eval _raw="ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737"
| rex "(?<CVE>CVE[^C]+)" max_match=0
| mvexpand CVE
| table CVE
| eval CVE=rtrim(CVE,"-")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Rex extraction of fields

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases