|
I have some data that is displaying line breaks as "\n". I'm having problems writing rex commands in searches to strip those out. For example, I have the following: Linux Kernel 2.4\nLinux Kernel 2.6\n I would like rex to return: Linux Kernel 2.4 I've tried things like [\w\s\d.()-\,]+ and [^\]+. I've tried putting (\n) and (\\n) after the (?P<...>) field extraction. Help? Sorry to be so noobish. Craig |
|
If you're doing it at search time using rex in the SplunkWeb interface, you need to quote the You would not need to do this nested quoting in a config file. You would probably need to do it in the Unix shell, though you might quote it differently. On the standard Windows cmd shell, the quoting rules are unclear, but you probably don't need to quote I've tried using the command you sent me and I'm failing to make it work. Here is the search: sourcetype="nessus" nessus_id=11936 | eval "s/\\n/\n/g" mode=sed | rex field=_raw "(?i)Remotesoperatingssystems:s(?P<operating_system>[ws\d.()-,]+)ConfidencesLevels:s(?P<confidence>d+)" | rex field=operating_system max_match=10 "(?i)(?P<operating_system>[^\]+)" | table dest_ip,operating_system,confidence
(28 Jan '11, 02:47)
jambajuice
Here is what the raw event looks like: nSynopsis :nnIt is possible to guess the remote operating systemnnDescription :nnUsing a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) nit is possible to guess the name of the remote operating system in use, andnsometimes its versionnnSolution :nnN/AnnRisk factor :nnNonennPlugin output :nnRemote operating system : Linux Kernel 2.4nLinux Kernel 2.6nConfidence Level : 59nMethod : SinFPnn nThe remote host is running one of these operating systems : nLinux Kernel 2.4nLinux Kernel 2.6nn
(28 Jan '11, 02:47)
jambajuice
oops. that should be
(28 Jan '11, 03:10)
gkanapathy ♦
|
