What is typically the best way to do splunk searches that following logic.
My example is searching Qualys Vulnerability Data.
Searching HTTP Headers first and including Tag results in search query
index=qualys QID=48118
[search index=qualys "WebLogic RCE - CVE-2020-14882"
| dedup IP
| table IP]
| stats latest(_time) values(DNS) values(RESULTS) by IP
The issue with this search is that it doesn’t include systems with the RCE tag but no QID=48118 (HTTP Headers Data)
Searching TAG first then Join
index=qualys "WebLogic RCE - CVE-2020-14882"
| dedup IP
| table IP, DNS
| join type=left IP
[search index=qualys QID=48118
| dedup IP RESULTS]
| stats values(DNS), values(RESULTS) by IP
The issue here is that I only get back one HTTP RESULT, there should be a few for each port that is open.
Any links to the best way to create subsearches from results would be great for learning. Thanks.
index=qualys QID=48118 OR "WebLogic RCE - CVE-2020-14882"
| stats latest(_time) as _time values(DNS) as DNS values(RESULTS) as RESULTS count(eval(searchmatch("WebLogic RCE - CVE-2020-14882"))) as check_count by IP
| where check_count > 0
| table _time IP DNS RESULTS
With Splunk, so let's search and select in bulk.
Thanks for your response. Does the searchmatch search across all fields in the record? This returned the 15 systems however all RESULTS from systems with "WebLogic" are returned. How do I only show the RESULTS from QID=48118 and not other QIDs from systems that have "WebLogic".
I want to search all systems with "WebLogic RCE - CVE-2020-14882" and for each of these systems list the QID=48118s if they exist.
index=qualys QID=48118 AND "WebLogic RCE - CVE-2020-14882"
| stats latest(_time) as _time values(DNS) as DNS values(RESULTS) as RESULTS by IP
| table _time IP DNS RESULTS
In those conditions, this would be fine.
This returns 0 results because the QID=48118 AND "WebLogic RCE - CVE-2020-14882" are in separate events. Is there a way to modify your original search to only show QID RESULTS that are 48118? I was trying to do it by filtering out the other QIDs at the beginning but then I lose the "WebLogic" events. Thank you.
| stats ... count(eval(searchmatch("WebLogic RCE - CVE-2020-14882"))) as check_count count(eval(QID=48118)) as check_QID y IP
| where ... AND check_QID > 0
The first search looks like it should work, but with some minor changes. When working with subsearches it helps to run the subsearch by itself with | format added to see what exactly is returned to the main search. Once you've adjusted the result of the subsearch, the rest should be easy.
Try this
index=qualys QID=48118
[search index=qualys "WebLogic RCE - CVE-2020-14882"
| return 1000 IP]
| stats latest(_time) values(DNS) values(RESULTS) by IP
Keep in mind that everything returned by the subsearch must be a field in the main search. You'll see why when you look at the format output. That result is ANDed to the main search query, which is why systems with an RCE, but no QID don't show up.
Thanks for the |format insight. That helps. When I use the return IP it only returns one IP not the list of IPs. What I would like to see is that there are 15 systems returned from the subsearch and then for each of those systems if they have any QID=48118s then they show up. If none exist then it is blank. i.e. The RESULTS could return a blank if none are found.
Thank you.
My mistake. The return command defaults to returning a single entry. I've modified my answer.
Interesting When I search index=qualys "WebLogic RCE - CVE-2020-14882" | return 1000 IP I get 3 IPs. When I add a dedup IP, index=qualys "WebLogic RCE - CVE-2020-14882" | dedup IP | return 1000 IP, I get 15 IPs. I double checked that I am running them over same 30d time span. Any ideas on why that would be the case?
Assuming I use the dedup, this command works well. However since it is using an AND with the subsearch it only shows the 9 of 15 IPs that have the QID. How would I modify it so it would also show the remaining 6 IPs but with blank RESULTS? This is what I was trying to do with my second search in the original post.
index=qualys QID=48118
[search index=qualys "WebLogic RCE - CVE-2020-14882"
|dedup IP | return 1000 IP]
| stats values(DNS) values(RESULTS) by IP
Thank you so much for your assistance.