Solved: In Forescout, trying to pull the descriptions for ...

tmaltizo · ‎10-06-2016

We have the following sourcetypes in index=forescout.
fs_av_compliance
fs_DLP_compliance
fs_fw_compliance
fs_encryption_compliance

They each have the field "description". How do I list each of the descriptions by host? I understand there may be multiple descriptions for any of the sourcetypes, but we can always dedup them....

Here's where I got stuck:

index=forescout (sourcetype=fs_av_compliance) OR (sourcetype=fs_DLP_compliance) OR (sourcetype=fs_fw_compliance) OR (sourcetype=fs_encryption_compliance) | fields src_nt_host description | chart values(description) over src_nt_host by sourcetype | table src_nt_host fs_av_compliance fs_DLP_compliance fs_fw_compliance fs_encryption_compliance

sundareshr · ‎10-06-2016

How about one of these

index=forescout (sourcetype=fs_av_compliance) OR (sourcetype=fs_DLP_compliance) OR (sourcetype=fs_fw_compliance) OR (sourcetype=fs_encryption_compliance) | fields src_nt_host description | stats values(description) as description by  src_nt_host sourcetype | mvexpand description

*OR*

index=forescout (sourcetype=fs_av_compliance) OR (sourcetype=fs_DLP_compliance) OR (sourcetype=fs_fw_compliance) OR (sourcetype=fs_encryption_compliance) | fields src_nt_host description | stats values(description) as description by  src_nt_host | mvexpand description

View solution in original post

sundareshr · ‎10-06-2016

How about one of these

index=forescout (sourcetype=fs_av_compliance) OR (sourcetype=fs_DLP_compliance) OR (sourcetype=fs_fw_compliance) OR (sourcetype=fs_encryption_compliance) | fields src_nt_host description | stats values(description) as description by  src_nt_host sourcetype | mvexpand description

*OR*

index=forescout (sourcetype=fs_av_compliance) OR (sourcetype=fs_DLP_compliance) OR (sourcetype=fs_fw_compliance) OR (sourcetype=fs_encryption_compliance) | fields src_nt_host description | stats values(description) as description by  src_nt_host | mvexpand description

tmaltizo · ‎10-06-2016

Thanks for your response @sundareshr!

How can I format the result so that the description falls under the appropriate sourcetype...

src_nt_host fs_av_compliance fs_DLP_compliance fs_fw_compliance fs_encryption_compliance
ABCD1234 AV running..... DLP installed... FW is up and running Encryption is running....

sundareshr · ‎10-06-2016

Like this

index=forescout (sourcetype=fs_av_compliance) OR (sourcetype=fs_DLP_compliance) OR (sourcetype=fs_fw_compliance) OR (sourcetype=fs_encryption_compliance) | chart values(description) over src_nt_host by sourcetype

tmaltizo · ‎10-06-2016

That's it! Thank you @sundareshr!

Can we go a step further and capture the latest description per sourcetype if there are more than one?

sundareshr · ‎10-06-2016

Try this

 index=forescout (sourcetype=fs_av_compliance) OR (sourcetype=fs_DLP_compliance) OR (sourcetype=fs_fw_compliance) OR (sourcetype=fs_encryption_compliance) | chart values(description) AS Descriptions latest(description) as Latest_Description over src_nt_host by sourcetype

tmaltizo · ‎10-07-2016

Thank you @sundareshr!

In Forescout, trying to pull the descriptions for each of the compliance types by hosts

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk