Splunk Search

Bypassing lookup 1000 limit

cpm003
Path Finder

Hi all,
I am trying to make a correlation between an inventory of assets and vulnerability indexed data.

I am currently using:

| lookup assets.csv vendor, product,version OUTPUT Hostname Delivery | where isnotnull (Delivery)

to get exactly which assets appear in the indexed data and are therefore vulnerable, however there is a limit of 1000 when using lookup files.

By trying to solve the problem, I have indexed the inventory data in "index = assets", how could I get the relation of vulnerable assets with data indexed in two different indexes?

Thanks in advance

INDEXED Vulnerabilityes

INDEXED Assets

0 Karma

cpm003
Path Finder

Thank you very much for your response, although I have not be able to make it work, it wasn´t grouping data.

I have achieved it differently, I have created a new field in each index with:
| eval CPE = vendor + ":" + product + ":" version

then:
| stats values (index) as index values (Hostname) as Hostname by CPE | where mvcount (index) > 1
| mvexpand Hostname

jlemley
Path Finder

This is one of my favorite topics: Joining two data sets with the stats command.

A very quick and dirty way to do this with your data could be to try something like this:

index=vulnerability OR index=assets
| stats first(*) as * by vendor, product, version

This will pull your two data sources together, grouped (or joined) by the vendor, product, and version.

More information can be found here:
https://answers.splunk.com/answers/145077/how-to-perform-join-with-stats.html

There's also a great .conf18 presentation on this topic:
https://conf.splunk.com/watch/conf-online.html?search=join#/

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...