Splunk Search

Combinding results in fields with mulitple results

jerrythoms
Explorer

I have two types of logs in an index. Both can have multiple entries for a ip address.

What i need to do is find all the host names and users in one set of logs and get the get the cve(s)for each host from the other logs and list them out.

I know i'm most likely going about this the wrong way, this was my latest attempt by trying to combind the cves into one field

index=a sourcetype-=asset vulnerbilities > 0 | dedup ip | eval Vcve = [search sourcetype=vuln ip | stats list(cve) as cve delim="," | nomv cve] | table ip, host, user, Vcve

0 Karma
1 Solution

elliotproebstel
Champion

If I understand your data and needs correctly, I think this might get you there:

index=a (sourcetype=asset vulnerabilities>0) OR (sourcetype=vuln ip) 
| stats values(host) AS host values(user) AS user values(cve) AS cve BY ip

If that doesn't work, can you share some sample events from each sourcetype and how you'd like them combined (what you'd like the final result to look like)?

View solution in original post

0 Karma

jerrythoms
Explorer

all logs have the field ip in them so for example

Example asset logs:
ip=1.1.1.1 hostname=comp1 user=me vulnerbilites=2 risk=1 other=a
ip=1.1.1.1 hostname=comp1 user=me vulnerbilites=2 risk=2 other=bit

Example vuln logs:
ip=1.1.1.1 cve="cve-2000-9999" category=service
ip=1.1.1.1 cve="cve-2018-1111" category=smb
ip=1.1.1.1 category=netbios

0 Karma

elliotproebstel
Champion

If I understand your data and needs correctly, I think this might get you there:

index=a (sourcetype=asset vulnerabilities>0) OR (sourcetype=vuln ip) 
| stats values(host) AS host values(user) AS user values(cve) AS cve BY ip

If that doesn't work, can you share some sample events from each sourcetype and how you'd like them combined (what you'd like the final result to look like)?

0 Karma

jerrythoms
Explorer

Still not able to get it work, i've added some examples of the logs above.
I would like to create a report that listed all the cves for a hostname with the user

0 Karma

elliotproebstel
Champion

Hmm, can you tell me what you get when you run this:

sourcetype=asset OR sourcetype=vuln
stats values(hostname) AS hostname values(user) AS user values(cve) AS cve BY ip

If you can show me what that's giving you and what is wrong with it, I can help you fix it.

0 Karma

jerrythoms
Explorer

Thanks. It exactly what i need.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...