Solved: Using join to show fields for two sourcetypes in o...

mdorobek · ‎06-29-2016

Hi,

I need to show fields for two sourcetypes in one table. Those two sourcetypes have the same ID field: "plugin_id" and "id". For this reason, I tried to join them with the following search:

...|rename plugin_id as id| table id, host-fqdn, hostname, severity | join id type=left [search index=nessus sourcetype="nessus:plugin"| table id, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor] | table host-fqdn, hostname, severity, id, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor

The failure is that some fields in the Table are just empty.

rschoensee · ‎06-30-2016

To better understand this particular Question it is important that it reflects on the intended usage of TA-Nessus.

The Sourcetype nessus:plugin is primarily used to create and maintain several lookup-files with included saved searches. Those searches are not scheduled by default and can be run manually or scheduled as needed.

All requested fields are automatically enriched via lookups to nessus:scan events, if the lookup-files are created or maintained.

So my answer to this question is to run and/or schedule the included saved searches of TA-Nessus and all needed fields will be accessible for nessus:scan events without further Searches using Join.

View solution in original post

rschoensee · ‎06-30-2016

To better understand this particular Question it is important that it reflects on the intended usage of TA-Nessus.

The Sourcetype nessus:plugin is primarily used to create and maintain several lookup-files with included saved searches. Those searches are not scheduled by default and can be run manually or scheduled as needed.

All requested fields are automatically enriched via lookups to nessus:scan events, if the lookup-files are created or maintained.

So my answer to this question is to run and/or schedule the included saved searches of TA-Nessus and all needed fields will be accessible for nessus:scan events without further Searches using Join.

sundareshr · ‎06-29-2016

Try this

(index=foo sourcetype=bar) or (index=nessus sourcetype="nessus:plugin") | eval eid=coalesce(id, plugin_id) | fields host-fqdn, hostname, severity, eid, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor | stats values(*) as * by host-fqdn eid | table host-fqdn, hostname, severity, id, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor

mdorobek · ‎06-29-2016

Thank you, but this doesn't work eighter. The fields cvss_base_score, description, exploit_available, exploitability_ease, family_name and risk_factor are still empty

mdorobek · ‎06-29-2016

The fields are getting created and I can display those fields in the table. As soon as I use one of the fields "host-fqdn, hostname, severity, id, cvss_base_score, description or plugin_name", the fields "cvss_base_score, description, exploit_available, exploitability_ease and family_name" wont be displayed.

sundareshr · ‎06-30-2016

What do you get when you run this

(index=foo sourcetype=bar) or (index=nessus sourcetype="nessus:plugin") | eval eid=coalesce(id, plugin_id) | table host-fqdn, hostname, severity, eid, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor

Raghav2384 · ‎06-29-2016

try appendcols

Example sourcetype=abc|table x,y,z,id|appendcols [search sourcetype=def|blah blah|fields id]

Hope this helps,

Thanks,
Raghav

mdorobek · ‎06-29-2016

Thank you, but I still have got the same problem.

Using join to show fields for two sourcetypes in one table, why are some fields empty?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms