Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with tracking vulnerability data over time

responsys_cm
Builder
‎05-14-2013 05:46 PM

I'm trying to figure out the smartest way to track vulnerability data over time and account for how DHCP may mean that a single host is scanned at multiple IPs.

So, I've tried a search that looks for all vulnerability data and then it does an inner join by dest and _time on a subsearch that looks for a particular event ID that contains the hostname. I'm guessing I can them do a | streamstats max(_time) AS last_scan by dest | where _time=last_scan.

But for whatever reason, this search doesn't come back with any results:

index=vulnerabilities sourcetype=nessus NOT "Plugin ID,CVE," NOT dest=\*/* | join type=inner _time,dest [search index=vulnerabilities nessus_id="11936" OR nessus_id="12053" OR nessus_id="60035" NOT dest=\*/* | rex field=plugin_output "(?i)resolves\sas\s(?P<hostname>[^\.]+)\.(?P<domainname>\S+)?\." | eval hostname=if(isnull(hostname),dest,hostname) | fields hostname] | table _time,dest,hostname,signature_name

What am I doing wrong here?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-10-2015 06:31 AM

One reason that it does not work (correctly) is that you cannot escape asterisks in SPL so this part is bad:

NOT dest=\*/*

You have to do something like this instead:

| regex dest!="\*/.*"
0 Karma
Reply

dolivasoh
Contributor
‎07-09-2015 08:58 PM

Try this. Any results?

index=vulnerabilities sourcetype=nessus | join type=inner _time,dest [search index=vulnerabilities | rex field=plugin_output "(?i)resolves\sas\s(?P<hostname>[^\.]+)\.(?P<domainname>\S+)?\." | eval hostname=if(isnull(hostname),dest,hostname) | fields hostname]
0 Karma
Reply

TimMc
Explorer
‎05-15-2013 04:32 PM

Not really sure about the index. Try breaking down the entire query and make sure that each part is working as expected.

0 Karma
Reply

responsys_cm
Builder
‎05-15-2013 11:35 AM

The parentheses didn't change anything...

0 Karma
Reply

TimMc
Explorer
‎05-15-2013 05:42 AM

Are parentheses required for your sub search to work?

[search index=vulnerabilities (nessus_id="11936" OR nessus_id="12053" OR nessus_id="60035") NOT dest=\*/*

Tim.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...