Getting Data In

make a joint report from two different Hosts in two different sources

sina_shafaei
Explorer

Hey Guys,

I have two different sourcetypes for my search, one of them is nmap.txt (which includes nmap trace s results from ports in our subnet among the whole 254 hosts, like Open/close Ports at different time sluts, OS version is running on target host and obviously on that IP Address) and the remedy.csv file (which includes data about IP addresses in subnet, details such the name of the user who has/had that IP address, DNS, is that IP free now or assigned, etc.)

data example in remedy.csv:

IP_Addr="121.180.254.114" User="Sina" Status="assigned" Name="sunvirt01.srv.be"

(...)

data example in nmap.txt:

host starttime="1402600202" endtime="1402601288" status state="up" reason="echo-reply" reason_ttl="63" address addr="121.180.254.114" hostname name="sunvirt01.srv.be" type="PTR" hostnames ports extraports state="filtered" count="985" extrareasons reason="no-responses" count="985" extraports port protocol="tcp" portid="20" state state="Open" service name="ftp-data" port protocol="tcp" portid="443" state state="Open" port protocol="tcp" portid="60443" state state="closed"

(...)

what I need is a table like below, using these fields together, from two hosts. such this:

IP----------------DNS-------------USER--------------Status(Free or not)--------------Ports(Open)

121.180.254.114 -- sunvirt01.srv.be -- Sina -- assigned -- 20,443

121.180.255.104 -- sunvirt03.srv.be -- Mat -- assigned -- 80,443

....

(I know it doesn't look so good here, but supposed to be in table format)

p.s: just please notice that some fields with same value has different names in different sources and I just need the open ports (for example IP_Addr and DNS )

may anybody please help me with this? since I'm a beginner and not so professional with Splunk.

Thanks in advance

Cheers,

0 Karma

sk314
Builder

Assuming those two files are indexed in splunk and the fields are extracted:

You could try this:

sourcetype=remedy | fields [include   fields that you want] | join IP_Addr [search sourcetype=nmap | stats list(portid) as Ports by IP_Addr] | table IP_Addr DNS USER Status Ports
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...