Other Usage

How to search with multiple CSV

miguel1423
Explorer

Hello,

I'm currently using two csv to make an report as

- index A : file A CSV

-index B : file B CSV

 

I m trying to add an value from raw csv file A into raw csv file B.

With my first search form CSV file B I get this values

Owner IP
Owner A 10.10.10.2
Owner B 10.10.10.3

 

I would like to add the Owner value from my first search into my second search...

Owner -> I would get from file A IP -> same value as ip into file A CVE Risk
Owner A 10.10.10.2    
Owner B 10.10.10.3    

 

How can get value of Owner from csv file B and add them on my search ?

 

Regards, 

 

Miguel

Labels (4)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

There are many ways to achieve this, some are more efficient than others. To receive more accurate suggestions, please share your current search (mask anything sensitive). A general way would be this

search indexA OR search index=B
| fields Owner  IP  CVE	Risk
| stats values(*) as * by IP
0 Karma

miguel1423
Explorer

Hello,

 

Thank you for your answer, I will you explain my case better.

I have two CSV file with csv file A where the content is some CVE vulnerability by ip server and the second CSV file B where the content is the list of our server where is mentionned the server owner etc. 

I want to show on the dashboard the Owner, name server, CVE, IP ect. 

In the csv file A the Owner is not associed with the IP server so I did an variable "ip" to merge the data from both CSV and get the owner associed with the IP with "transaction"

(index="A" AND (Risk=$Risk$))OR(index="B" AND ("Deployment State"=Production))| eval ip_extracted=if(cidrmatch("Network",extracted_Host), "ipok", "noip") | eval ip_servers=if(cidrmatch("Network",NIC__1__IPAddress__1), "ipok", "noip") | eval ip=if(match(ip_servers, "ipok"),NIC__1__IPAddress__1, extracted_Host)  | transaction ip  | table  Owner ip Risk Name Description Solution "CVSS v2_0 Base Score" "CVSS v3_0 Base Score" OperatingSystem | where  Risk!="NULL" |search Owner=$Owner$ ip=$ip$

 

Now my problem is that each events sorted by ip are merged in my dashboard, I want that each event is shown independently by ip like as shown below because I want to add an check case where the owner can check if the event has been done or not and actualy it's not possible because each events are merged

2022-03-02_14h34_13.png

 

My English is not good so I don't know if you have understand what I mean ?

 

Regards,

 

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

(index="A" AND (Risk=$Risk$))OR(index="B" AND ("Deployment State"=Production))
| eval ip_extracted=if(cidrmatch("Network",extracted_Host), "ipok", "noip") 
| eval ip_servers=if(cidrmatch("Network",NIC__1__IPAddress__1), "ipok", "noip") 
| eval ip=if(match(ip_servers, "ipok"),NIC__1__IPAddress__1, extracted_Host)  | fields  Owner ip Risk Name Description Solution "CVSS v2_0 Base Score" "CVSS v3_0 Base Score" OperatingSystem 
| stats values(*) as * by ip | where  Risk!="NULL" |search Owner=$Owner$ ip=$ip$
0 Karma

miguel1423
Explorer

Hi,

thx for your reply but the result it's same, all events are merged

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...