Hi Guys,
I'm having some issues with my making my multi value field work as I would like.
My "cve" field has values like:
"CVE-2017-3003, CVE-2017-3002, CVE-2017-3001, CVE-2017-3000, CVE-2017-2999, CVE-2017-2998, CVE-2017-2997"
OR
"CVE-2013-1346"
OR
"CVE-2015-2808, CVE-2013-2566"
My goal is to make it when I search for a single CVE (such as CVE-2017-3000), hosts with that cve will be shown. However, currently it will only show the host if my search matches ALL of the CVE values for that host.
I want to use transforms and props to configure this delimited extraction at search time by the "," separating all my cves
I've been trying for a while now to no avail, could someone please show me what my transforms and props needs? Currently I have...
props.conf
REPORT-type = cve_separated
transforms.conf
[cve_separated]
DELIMS = ","
FIELDS = cve
MV_ADD = true
Any help would be greatly appreciated, cheers.
↧