Splunk Enterprise Security

Merging result of inputlookup file with subsearch to get required results

SunilMaharishi
Path Finder

i have one csv file which contains device name location data , i need to get count of all the device name location wise.
and then i am trying to get malware count and spyware count on the infected machines for one of indexed data as below but this search is not working "" Error in 'stats' command: The argument 'index=abc' is invalid"" if i remove inputlookup first line i will get results but i wont get total no of computers . how should i merge these two requirement .

|inputlookup xyz.csv | stats count("Device Name") as Total_Computers by Location
index=abc | search TMCM:SLF_INCIDENT
|lookup xyz.csv "Device Name" as nodename OUTPUT Location
| stats count(nodename) as InfectedComputers count(signature) as MalwareCount
count(Spyware) as Spywarecount by Location
| table Total_Computers,Location,InfectedComputers, MalwareCount, Spywarecount

0 Karma
1 Solution

harishalipaka
Motivator

hi @SunilMaharishi
try this

|inputlookup xyz.csv | stats count("Device Name") as Total_Computers by Location|appendcols [search index=abc | search TMCM:SLF_INCIDENT
|lookup xyz.csv "Device Name" as nodename OUTPUT Location
| stats count(nodename) as InfectedComputers count(signature) as MalwareCount 
count(Spyware) as Spywarecount by Location ]
| table Total_Computers,Location,InfectedComputers, MalwareCount, Spywarecount 
Thanks
Harish

View solution in original post

0 Karma

harishalipaka
Motivator

hi @SunilMaharishi
try this

|inputlookup xyz.csv | stats count("Device Name") as Total_Computers by Location|appendcols [search index=abc | search TMCM:SLF_INCIDENT
|lookup xyz.csv "Device Name" as nodename OUTPUT Location
| stats count(nodename) as InfectedComputers count(signature) as MalwareCount 
count(Spyware) as Spywarecount by Location ]
| table Total_Computers,Location,InfectedComputers, MalwareCount, Spywarecount 
Thanks
Harish
0 Karma

SunilMaharishi
Path Finder

i tried using append command and that is giving correct result , little bit modified the search though

0 Karma

SunilMaharishi
Path Finder

i tried using this , however i am getting the total computers and location but" InfectedComputers, MalwareCount, Spywarecount " is blank and not having any values

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...