I have scans (from nessus add-on). Some host was scanned more times. When I select severity="critical" I see old vulnerabilities. For example:
IP, plugin-id, timestamp
10.0.0.1, 90315, 1537252785
10.0.0.1, 90316, 1537252785
10.0.0.1, 90317, 1537252785
10.0.0.1, 90318, 1537252785
10.0.0.2, 90421, 1537187491
10.0.0.2, 90422, 1537187491
10.0.0.2, 90423, 1537187491
10.0.0.2, 90424, 1537187491
10.0.0.1, 90316, 1537624344
10.0.0.1, 90318, 1537624344
10.0.0.1, 90319, 1537624344
10.0.0.2, 90422, 1537538233
10.0.0.2, 90428, 1537538233
As you see, for 10.0.0.1 max timestamp is 1537624344 and for 10.0.0.2 max timestamp is 1537538233.
How to select only events with max timestamps by IP:
10.0.0.1, 90316, 1537624344
10.0.0.1, 90318, 1537624344
10.0.0.1, 90319, 1537624344
10.0.0.2, 90422, 1537538233
10.0.0.2, 90428, 1537538233
And how to select only new plugin-id for max timestamp:
10.0.0.1, 90319, 1537624344
10.0.0.2, 90428, 1537538233
Thanks!
Unfortunately there is no answer, perhaps it is very difficult.
Prompt then how it is possible to choose IP and for each IP the maximum value of timestamp. Like this:
IP, timestamp
10.0.0.1, 1537624344
10.0.0.2, 1537538233
Thanks!
IP, timestamp
10.0.0.1, 1537624344
10.0.0.2, 1537538233
I made it such a search:
| inputcsv test1.csv | sort 0 - timestamp | dedup IP | table IP, timestamp
As optimal from the point of view of run-time?
And how to use the found data for a new query only for them?
How found from svc all data where ip, timestamp = (10.0.0.1, 1537624344) and (10.0.0.2, 1537538233)