Hello,
I'm trying to use the search below but I only get 0 events.
What Am I doing wrong?
index=rapid7 sourcetype=*
| eval site=coalesce(site, "")
| eval asset=coalesce(asset_id, "")
| search site=* status=Approved reason="Acceptable risk"
| search [search index=rapid7 sourcetype="rapid7:nexpose:asset" | fields * | eval tag=coalesce(split(nexpose_tags,";"), "") | search tag="*" * vendor_product="*" site_id="*" pci_status="*" (hostname=* OR ip=* OR mac=*) | fields * | table asset_id hostname ip mac os site_name nexpose_tags os]
| dedup site asset vulnerability_id
| sort "Status" DESC
| table status vulnerability_id title asset_id severity_score severity reason additional_comments submitted_by review_date review_comment expiration_date port key
Your SPL has a few errors, perhaps because of the way the forum formats questions. Please edit the question to correct issues like "search site= status=...". It will be easier to help if we're looking at a valid query.
A typical approach for debugging a query that returns zero events is to start with the base search and add one command at a time until no results are returned. The last command added is probably the cause.