topic Re: How to use search results from one sourcetype search to be included in a second search? in Splunk Search

How to use search results from one sourcetype search to be included in a second search?

bewald_cfi — Tue, 13 Jun 2017 18:09:48 GMT

Good day,
My first search pulls servername and owner from a sourcetype (database). I then need to take the servername, owner, and match that info with the results from a CVE vulnerability search, having the servername as the constant in both searches. I have attempted append, join, and subsearch. I can get results but the owner will not match up with the Host and extracted_Host in a one to one relationship .

Search #1

sourcetype=DB ADM
| dedup host_name
| rex  field=host_name "(?(\w+\-\w+))" 
| stats values(Host) as Host by owner
| where Host != " "

Search #2

sourcetype="CVE" host="VulScanner" (Risk=High OR Risk=Critical)
| eval Time=_time 
| dedup Solution
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(Time) 
| table Time, extracted_Host, Risk, Name, CVE, Solution, "See Also" ]

When I do a join this gives me the owner column, but the two Host and extracted_Host columns do not tie together.
Thank you

Re: How to use search results from one sourcetype search to be included in a second search?

somesoni2 — Tue, 13 Jun 2017 19:04:18 GMT

Give this a try

sourcetype="CVE" host="VulScanner" (Risk=High OR Risk=Critical) [search  sourcetype=DB ADM | dedup host_name | rex  field=host_name "(?(\w+\-\w+))" | stats count by owner Host| where Host != " " | table owner Host | rename Host as extracted_Host owner as Name ]
 | eval Time=_time 
 | dedup Solution
 | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(Time) 
 | table Time, extracted_Host, Risk, Name, CVE, Solution, "See Also" ]

Re: How to use search results from one sourcetype search to be included in a second search?

bewald_cfi — Tue, 13 Jun 2017 20:00:04 GMT

Unfortunately, the search returns with "No results found".

For
|rex field=host_name "(?(\w+-\w+))
I had to add
"(?(\w+-\w+))"
because it initially gave error = Regex: unmatched parentheses

Re: How to use search results from one sourcetype search to be included in a second search?

somesoni2 — Tue, 13 Jun 2017 20:14:33 GMT

When you post code/query, select whole query and click on "101010" button or Ctrl+K to format. You can see that rex was truncated in the question.

The query assumes that field Host and owner from sourcetype=DB ADM are mapped (exact value match) to the field extracted_Host and Name from sourcetype="CVE" host="VulScanner". Is that correct assumption?

Re: How to use search results from one sourcetype search to be included in a second search?

bewald_cfi — Wed, 14 Jun 2017 12:22:39 GMT

Somesoni2 - thank you for your help and time. The two sourcetypes do not have an exact value match for everything considered a host, but some are. One sourcetype uses a database, compiled by data sent from a local agent that lives on each server, the other sourcetype uses data received from a Nessus scan. I hope this answers your question. Thanks again!