hi,
I am a newbie in splunk
I have this one use case I am trying. search for a machine that have malware infection AND it has a vulnerability. anyone can give me pointers the best search to do it?
(sourcetype="vulnscan" severity=critical) OR sourcetype="avscan" | table av_threatname severity hostname | eval infectedandvulnerable=coalesce(av_threatname,severity)
You have to use two searches and join
the results of them.
Assuming your individual sourcetypes have the hostname
field in common (you have to have one common field in both searches, otherwise you will have to eval
them to be identical) you may use this search:
sourcetype=vulnscan severity=critical | table hostname | join hostname [search sourcetype=avscan]
For more info on the join
command, check => http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join