Splunk Search

Combinding results in fields with mulitple results

jerrythoms
Explorer

I have two types of logs in an index. Both can have multiple entries for a ip address.

What i need to do is find all the host names and users in one set of logs and get the get the cve(s)for each host from the other logs and list them out.

I know i'm most likely going about this the wrong way, this was my latest attempt by trying to combind the cves into one field

index=a sourcetype-=asset vulnerbilities > 0 | dedup ip | eval Vcve = [search sourcetype=vuln ip | stats list(cve) as cve delim="," | nomv cve] | table ip, host, user, Vcve

0 Karma
1 Solution

elliotproebstel
Champion

If I understand your data and needs correctly, I think this might get you there:

index=a (sourcetype=asset vulnerabilities>0) OR (sourcetype=vuln ip) 
| stats values(host) AS host values(user) AS user values(cve) AS cve BY ip

If that doesn't work, can you share some sample events from each sourcetype and how you'd like them combined (what you'd like the final result to look like)?

View solution in original post

0 Karma

jerrythoms
Explorer

all logs have the field ip in them so for example

Example asset logs:
ip=1.1.1.1 hostname=comp1 user=me vulnerbilites=2 risk=1 other=a
ip=1.1.1.1 hostname=comp1 user=me vulnerbilites=2 risk=2 other=bit

Example vuln logs:
ip=1.1.1.1 cve="cve-2000-9999" category=service
ip=1.1.1.1 cve="cve-2018-1111" category=smb
ip=1.1.1.1 category=netbios

0 Karma

elliotproebstel
Champion

If I understand your data and needs correctly, I think this might get you there:

index=a (sourcetype=asset vulnerabilities>0) OR (sourcetype=vuln ip) 
| stats values(host) AS host values(user) AS user values(cve) AS cve BY ip

If that doesn't work, can you share some sample events from each sourcetype and how you'd like them combined (what you'd like the final result to look like)?

0 Karma

jerrythoms
Explorer

Still not able to get it work, i've added some examples of the logs above.
I would like to create a report that listed all the cves for a hostname with the user

0 Karma

elliotproebstel
Champion

Hmm, can you tell me what you get when you run this:

sourcetype=asset OR sourcetype=vuln
stats values(hostname) AS hostname values(user) AS user values(cve) AS cve BY ip

If you can show me what that's giving you and what is wrong with it, I can help you fix it.

0 Karma

jerrythoms
Explorer

Thanks. It exactly what i need.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...