Hi All!
I have following query, I want to schedule a report for this for every night.
When I export this to CSV after searching the fields get all mixed up.
Any idea on how to rewrite this to get similar results but would work well in CSV?
index=rapid7 nexpose_severity=Severe OR nexpose_severity=Critical "tag::eventtype"=vulnerability site_id=64 OR site_id=55 OR site_id=63 OR site_id=62 | eval site_info=case(site_id==63,"Public IPs: Corp IT 2", site_id==64 ,"Public IPs:3", site_id==62,"Public IPs: Corp 4",site_id==23,"Corp - Office - 1",site_id==60,"Rapid7 Insight Agents", site_id=55,"Public IPs: 5")| stats values(signature) AS "Vulnerabilities", values(cve) AS "CVE", values(nexpose_severity) AS "Severity", values(site_info) AS "Site ID", values(date_added) AS "DATE_ADDED" distinct_count(cve) AS distinct_count_vulnerabilities by ip | sort -distinct_count_vulnerabilities
Thanks in advance for your help !
You could create a lookup file that you then schedule your search and have it appended with:
| table field1 field2 field3 etc | outputlookup
That way your search results would be written to the csv behind the lookup at every run.
If it's a formatting issue, can you explain more about what you mean when you say "The fields get all mixed up"?