Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

What is the most efficient way to correlate fields from different sourcetypes in the same index by an asset_id key

packet_hunter
Contributor
‎08-24-2017 11:59 AM

I have some vulnerability and asset data I need to correlate but I am not sure of the best method to use...

index=rapid7 sourcetype="rapid7:nexpose:asset" | stats  values(os)  values(hostname)  by asset_id

1234    Microsoft blah   some_asset_name.corp.com   

1235    Linux blah  some_asset_name.corp.com    

index=rapid7 sourcetype="rapid7:nexpose:vuln"  "some vuln of interest" | stats values(signature) values(solution_summary) by asset_id

1234    signature_value  allows this blah blah attack   solution_summary_value disable blah bah

1235    signature_value  allows this blah blah attack   solution_summary_value disable blah bah

The two queries give me values based on the asset_id number, I just need a fast way to correlate the queries so I can report 

os  hostname  signature   solution_summary   asset_id

Any advice appreciated.

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-24-2017 01:17 PM

This should be just slightly more efficient than that ...

index=rapid7 (sourcetype="rapid7:nexpose:asset" OR 
(sourcetype="rapid7:nexpose:vuln"  "some vuln of interest") )
 | stats values(hostname) as hostname, 
     values(os) as os,
     values(signature) as signature, 
     values(solution_summary) as solution_summary 
     values(sourcetype) as sourcetype by asset_id
 | where mvcount(sourcetype)>1

Coded this way, it only has to search the index for the vuln sourcetype once. However, if you have a large number of os records, relative to vuln records, then your way will be more efficient.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-24-2017 01:17 PM

This should be just slightly more efficient than that ...

index=rapid7 (sourcetype="rapid7:nexpose:asset" OR 
(sourcetype="rapid7:nexpose:vuln"  "some vuln of interest") )
 | stats values(hostname) as hostname, 
     values(os) as os,
     values(signature) as signature, 
     values(solution_summary) as solution_summary 
     values(sourcetype) as sourcetype by asset_id
 | where mvcount(sourcetype)>1

Coded this way, it only has to search the index for the vuln sourcetype once. However, if you have a large number of os records, relative to vuln records, then your way will be more efficient.

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎08-25-2017 07:33 AM

yes this is faster...
Thank you

Reply
Solved! Jump to solution

ranich
Engager
‎12-22-2017 01:03 PM

In a similar vein, I am stuck on getting values returned as intended. I am trying to get riskscore values for assets that have an exception applied, but only the exception values of risk.

Something like this, but I am unclear how to differentiate the risk:
index=rapid7 | transaction asset_id | makemv nexpose_tags delim=";" | stats sum(riskscore) as totalrisk, values(review_comment), values(submitted_by) by nexpose_tags | eval totalrisk=round(totalrisk) | sort -totalrisk

Perhaps some version of your query above would fit into this query to show the asset group and its risk that is being excluded in Nexpose?

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-25-2017 09:26 AM

When theory matches performance, believe performance.

When theory does NOT match performance, believe performance.

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎08-24-2017 12:54 PM

I came up with...

index=rapid7 sourcetype="rapid7:nexpose:asset" OR sourcetype="rapid7:nexpose:vuln" [search index=rapid7  sourcetype="rapid7:nexpose:vuln" TLS 1.0  | fields asset_id] |stats values(hostname) values(os) values(signature) values(solution_summary) by asset_id

any other ideas on this?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...