FInd Strings after separator (comma)

Hello

I’m trying to find the texts after comma “,” in a file. Here is my sample output:

/app/tomcat/apache-tomcat-7.0.70/webapps/mmc-console-3.8.5/WEB-INF/lib/log4j-core-2.1.jar,Implementation-Version: 2.1

I want the texts after comma “,”. In the above example, its implementation version. Could someone help with the relevance expression.

Regards,
Sudarshan.

following texts of first “,”

1 Like

Thank you so much @nicksberger it works.

@JasonWalker @jgstew

I need help in webreports to create line breaks. I’m trying to produce log4j results through webreports.
I have two properties:

  1. First one shows the log4j library path.
  2. Second one shows the Implementation version.

When i have the columns in the screenshot below, I get multiple results in the same column when a server has multiple log4j libraries.

image

If i expand the columns, my output is duplicated multiple times. I would like to have each file path and Implementation version in separate lines. Could you help me.

image

This is the sample output:

I believe there is an additional property to the Analysis that would show this, look for something like ‘result details’ in the Analysis.

sure, I couldn’t see ‘result details’ in the analysis. It only has the options to “view as list and view as summary”.
Do you have any links on where to find that property?

I mean to add a column for the “log4j Scan - File Result Details” property from the Analysis. That provides a single line listing the CVE found, the file in which it was found, and the version of Log4j that was found in the file.

Any time you expand two properties with multiple results, you’ll get a set of every instance of Property1 duplicated into every instance of Property2. There’s nothing in Web Reports to tie the two properties together, they are independent, even if they are properties from the same Analysis. For example you’d see them all duplicated again if you expanded the “IP Address” property into separate rows for a computer that had two IP addresses.

Oh, sorry, I misunderstood, I thought you were using our Log4j scan and analysis from the “BES Inventory and License” site. I didn’t realize these are all custom properties that you are building.

Yes, if you need to maintain the relationship between multiple things like “Implementation-Version” and the filename using that version, you have to create a property that returns both parts as a single result. You could look to our “Application Information (Windows)” Analysis for an example like that, where we retrieve a DisplayName and DisplayVersion for applications and concatenate them together with “|”

In your case, the “Implementation-Version” and “FilePath” would be a single result in one column. If you want to split them into separate columns later, you’d need to do that on the Excel side, or in a completely-custom Web Report where you can provide your own session relevance to split the values.

Thank you @JasonWalker It makes sense. thank you for explaining in detail.

Thank you @JasonWalker

We tried the Bigfix api to get the path values and version. We get the path and version from the custom properties.
Log4j-Path - Gives the log4j path
Implementation Version - Gives the version

When i get the Log4j-path, it gives the desired results. I couldn’t get the results if i add the property to get the version “Implementation Version”, it says singular expression refers to nonexistent object. I verified the report that we generate out of it has the computers with the version. Am i missing something?

(name of it, hostname of it, values of results (it, bes property “Log4j-Path”), values of results (it, bes property “Site”), values of results (it, bes property “IP Address”), values of results (it, bes property “OS”), values of results (it, bes property “Last Report Time”)) of bes computers

(name of it, hostname of it, values of results (it, bes property “Log4j-2.16”), values of results (it, bes property “Implementation Version”), values of results (it, bes property “Site”), values of results (it, bes property “OS”), values of results (it, bes property “Last Report Time”)) of bes computers

<Query Resource="(name of it, hostname of it, values of results (it, bes property “Log4j-2.16”), values of results (it, bes property “Implementation Version”), values of results (it, bes property “Site”), values of results (it, bes property “OS”), values of results (it, bes property “Last Report Time”)) of bes computers">

Singular expression refers to nonexistent object.

That implies you’re calling something in a singular way, which must have exactly one result. Plural result would give you a different message, so it sounds like you’re calling for something that doesn’t exist…

All your ‘values of results’ are plurals, so that won’t trigger the message. What’s left are

bes property "Log4j-2.16"
bes property "Implementation Version"
bes property "Site"
bes property "OS"
bes property "Last Report Time"
name
hostname

I know the “Last Report Time” and “OS” Properties exist because they’re built-in. If a computer had not reported its OS then you’d get an error looking for 'value of result (it, bes property “OS”)` in the singular form, but because you’re using ‘values of results’ a missing value would just drop this computer out of the result set without throwing the error.

Assuming the “Log4j-2.16”, “Implementation Version”, and “Site” properties actually exist, they follow the same lookup pattern. Missing result would discard the computer without throwing an error.

So that leaves “name” and “hostname”. Weird as it may seem, there are cases where a brand-new computer may appear in the server, but has not (yet) reported those values. That’s a frustrating edge-case that only appears sometimes and not other times when running the same query.

The way around it is to use the pipe operator " | " to catch an error and substitute an alternate result when that error occurs. You use it like
name of bes computer | 'Not Reported'

So try

(name of it | "Not Reported", hostname of it | "Not Reported", values of results (it, bes property “Log4j-2.16”), values of results (it, bes property “Implementation Version”), values of results (it, bes property “Site”), values of results (it, bes property “OS”), values of results (it, bes property “Last Report Time”)) of bes computers

Then, since you’re pulling multiple properties for all computers, I really recommend you read through the posting at Efficient Session Relevance Query for Computer Properties for a pattern to doing that lookup much more efficiently. It’s detailed and lengthy, but very fast, and handles all of the “missing results / duplicate property / property not existing” edge cases.

2 Likes

Thank you @JasonWalker You are awesome. The link was really helpful.