Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

merge fields

skhedim
Explorer
‎03-27-2018 06:49 AM

Hello,

I'm new to the splunk universe, and I need to create a dashboard listing the CVEs (security holes) of a Docker image.

I think my need is feasible via splunk, but I don't know how to proceed. I'll try to go into as much detail as I can.

First of all, I get all these informations for scanning an image in splunk (example: debian)

alt text

I would like to process this information to get a dashboard similar to this one:
https://anchore.io/image/dockerhub/2b98c9851a37e18356abe407922726dc35c370f7cee76f435f94ee92950b4493?...

First, I would like to list all CVE line by line as on the website above. But when I try to do that, I get that result:

alt text

I have a column scrolling around the field with its number, and all this information is on one line. I would like all vulnerabilities_*_vuln fields to be "merged" into a single CVE field, in order to have the same result as on the anchore.io site above

Is it possible via splunk to get this result?

Thank you in advance,

Sincerely.

Tags (3)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-27-2018 03:38 PM

Try like this

index="poc_anchor" "imagetag=docker.io/debian:latest
| fields index vulnerabilities_*
| untable index attribute value
| rex field=attribute "vulnerability_(?<VulnID>\d+)_(?<name>\w+)"
| chart values(value) over VulnID over name
| table vuln severity package fix url
| rename vuln as "CVE ID" severity as "Severity" package as "Vulnerable Package" fix as "Fix Available" url as "URL"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-27-2018 03:38 PM

Try like this

index="poc_anchor" "imagetag=docker.io/debian:latest
| fields index vulnerabilities_*
| untable index attribute value
| rex field=attribute "vulnerability_(?<VulnID>\d+)_(?<name>\w+)"
| chart values(value) over VulnID over name
| table vuln severity package fix url
| rename vuln as "CVE ID" severity as "Severity" package as "Vulnerable Package" fix as "Fix Available" url as "URL"
0 Karma
Reply
Solved! Jump to solution

skhedim
Explorer
‎03-28-2018 02:11 AM

thanks for the answer, I think it's very close to what I want, though it doesn't return anything. I don't understand the untable line. once I launched the untable line I couldn't do anything in return. Do you know what the problem might be?

0 Karma
Reply
Solved! Jump to solution

skhedim
Explorer
‎03-28-2018 06:00 AM

It's working!

I hadn't seen it but it was just missing "ies" at the end of vulnerabilities here:

rex field=attribute "vulnerabilit*ies*(?\d+)(?\w+)"

That's exactly what I wanted, thanks again!

See you later

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-28-2018 04:15 AM

What all fields do you get when younrun below query?

index="poc_anchor" "imagetag=docker.io/debian:latest
 | table index vulnerabilities_*

After adding `| unstable index attribute value´ to above you should get a table with 3 columns index attribute value

Reply
Solved! Jump to solution

skhedim
Explorer
‎03-28-2018 12:36 AM

Hi,

thanks for your quick answers!

I'm going to clarify what I want to reproduce, I want to get this table with the same columns based on the fields vulnerabilities_x_fix, vulnerabilities_x_vuln, etc.. I want to list every _vuln vulnerability on one line and the same with _fix, etc.

alt text

I think somesoni2's answer is very close to what I want. But I get an error Error in'chart' command: Invalid argument:'over'. if I replace the second over with "by" I have no more error but no result is displayed.

I also tried the JDukeSplunk solution, I get a table, but with only one line.

Do you have any other ideas? Thank you again.

Sincerely.

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎03-27-2018 11:02 AM

Okay so you need to extract the vulnerabilities_*_vuln in one field . and then expand it .
can you share one sample event?

0 Karma
Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎03-27-2018 10:38 AM

You might want to eval, coalesce. I don't know if this will work..Just spitballing here. You'll have to fill in the additional fields in the eval statements if this works.

index="poc_anchor" "imagetag=docker.io/debian:latest
| eval "vulnerabilities"=coalesce(vulnerabilities_0_vuln,vulnerabilities_10_vuln,vulnerabilities_11_vuln)
| eval "severity"=coalesce(vulnerabilities_0_severity,vulnerabilities_10_severity,vulnerabilities_11_severity)
|stats list(vulnerabilities) as vulnerabilities by severity

Another option would be to create a more generic field extraction with a single name that captures all the CVE-\d+-\d+-\d+- patterns.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...