- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using join to show fields for two sourcetypes in o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I need to show fields for two sourcetypes in one table. Those two sourcetypes have the same ID field: "plugin_id" and "id". For this reason, I tried to join them with the following search:
...|rename plugin_id as id| table id, host-fqdn, hostname, severity | join id type=left [search index=nessus sourcetype="nessus:plugin"| table id, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor] | table host-fqdn, hostname, severity, id, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor
The failure is that some fields in the Table are just empty.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To better understand this particular Question it is important that it reflects on the intended usage of TA-Nessus.
The Sourcetype nessus:plugin is primarily used to create and maintain several lookup-files with included saved searches. Those searches are not scheduled by default and can be run manually or scheduled as needed.
All requested fields are automatically enriched via lookups to nessus:scan events, if the lookup-files are created or maintained.
So my answer to this question is to run and/or schedule the included saved searches of TA-Nessus and all needed fields will be accessible for nessus:scan events without further Searches using Join.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To better understand this particular Question it is important that it reflects on the intended usage of TA-Nessus.
The Sourcetype nessus:plugin is primarily used to create and maintain several lookup-files with included saved searches. Those searches are not scheduled by default and can be run manually or scheduled as needed.
All requested fields are automatically enriched via lookups to nessus:scan events, if the lookup-files are created or maintained.
So my answer to this question is to run and/or schedule the included saved searches of TA-Nessus and all needed fields will be accessible for nessus:scan events without further Searches using Join.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
(index=foo sourcetype=bar) or (index=nessus sourcetype="nessus:plugin") | eval eid=coalesce(id, plugin_id) | fields host-fqdn, hostname, severity, eid, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor | stats values(*) as * by host-fqdn eid | table host-fqdn, hostname, severity, id, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, but this doesn't work eighter. The fields cvss_base_score, description, exploit_available, exploitability_ease, family_name and risk_factor are still empty
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The fields are getting created and I can display those fields in the table. As soon as I use one of the fields "host-fqdn, hostname, severity, id, cvss_base_score, description or plugin_name", the fields "cvss_base_score, description, exploit_available, exploitability_ease and family_name" wont be displayed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you get when you run this
(index=foo sourcetype=bar) or (index=nessus sourcetype="nessus:plugin") | eval eid=coalesce(id, plugin_id) | table host-fqdn, hostname, severity, eid, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try appendcols
Example sourcetype=abc|table x,y,z,id|appendcols [search sourcetype=def|blah blah|fields id]
Hope this helps,
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, but I still have got the same problem.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
