- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use search results from one sourcetype sear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use search results from one sourcetype search to be included in a second search?
Good day,
My first search pulls servername and owner from a sourcetype (database). I then need to take the servername, owner, and match that info with the results from a CVE vulnerability search, having the servername as the constant in both searches. I have attempted append, join, and subsearch. I can get results but the owner will not match up with the Host and extracted_Host in a one to one relationship .
Search #1
sourcetype=DB ADM
| dedup host_name
| rex field=host_name "(?(\w+\-\w+))"
| stats values(Host) as Host by owner
| where Host != " "
Search #2
sourcetype="CVE" host="VulScanner" (Risk=High OR Risk=Critical)
| eval Time=_time
| dedup Solution
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(Time)
| table Time, extracted_Host, Risk, Name, CVE, Solution, "See Also" ]
When I do a join this gives me the owner column, but the two Host and extracted_Host columns do not tie together.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somesoni2 - thank you for your help and time. The two sourcetypes do not have an exact value match for everything considered a host, but some are. One sourcetype uses a database, compiled by data sent from a local agent that lives on each server, the other sourcetype uses data received from a Nessus scan. I hope this answers your question. Thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
sourcetype="CVE" host="VulScanner" (Risk=High OR Risk=Critical) [search sourcetype=DB ADM | dedup host_name | rex field=host_name "(?(\w+\-\w+))" | stats count by owner Host| where Host != " " | table owner Host | rename Host as extracted_Host owner as Name ]
| eval Time=_time
| dedup Solution
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(Time)
| table Time, extracted_Host, Risk, Name, CVE, Solution, "See Also" ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, the search returns with "No results found".
For
|rex field=host_name "(?(\w+-\w+))
I had to add
"(?(\w+-\w+))"
because it initially gave error = Regex: unmatched parentheses
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you post code/query, select whole query and click on "101010" button or Ctrl+K to format. You can see that rex was truncated in the question.
The query assumes that field Host and owner from sourcetype=DB ADM are mapped (exact value match) to the field extracted_Host and Name from sourcetype="CVE" host="VulScanner". Is that correct assumption?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
