So when I run the following search, 'event_name' returns a list of all event_name values which match the coalesce(src_ip,host_ip)
. The output looks to be a python unicode list. i.e. : [u'itemnumber1',u'itemnumber2','itemnumber3']
etc.
sourcetype=suricata OR sourcetype=nessus_scans AND risk!=None |
eval src_ip = coalesce(src_ip,host_ip) |
table msg, src_ip, dst_ip, dst_port, event_name, risk
How would i make this so each 'itemnumber(n)'
would return a new row, or pretty formatting so that its more readable?
Try this
sourcetype=suricata OR sourcetype=nessus_scans AND risk!=None | eval src_ip = coalesce(src_ip,host_ip) | makemv event_name delim="," | mvexpand event_name | table msg, src_ip, dst_ip, dst_port, event_name, risk
Try this
sourcetype=suricata OR sourcetype=nessus_scans AND risk!=None | eval src_ip = coalesce(src_ip,host_ip) | makemv event_name delim="," | mvexpand event_name | table msg, src_ip, dst_ip, dst_port, event_name, risk