- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Combinding results in fields with mulitple results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two types of logs in an index. Both can have multiple entries for a ip address.
What i need to do is find all the host names and users in one set of logs and get the get the cve(s)for each host from the other logs and list them out.
I know i'm most likely going about this the wrong way, this was my latest attempt by trying to combind the cves into one field
index=a sourcetype-=asset vulnerbilities > 0 | dedup ip | eval Vcve = [search sourcetype=vuln ip | stats list(cve) as cve delim="," | nomv cve] | table ip, host, user, Vcve
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand your data and needs correctly, I think this might get you there:
index=a (sourcetype=asset vulnerabilities>0) OR (sourcetype=vuln ip)
| stats values(host) AS host values(user) AS user values(cve) AS cve BY ip
If that doesn't work, can you share some sample events from each sourcetype and how you'd like them combined (what you'd like the final result to look like)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
all logs have the field ip in them so for example
Example asset logs:
ip=1.1.1.1 hostname=comp1 user=me vulnerbilites=2 risk=1 other=a
ip=1.1.1.1 hostname=comp1 user=me vulnerbilites=2 risk=2 other=bit
Example vuln logs:
ip=1.1.1.1 cve="cve-2000-9999" category=service
ip=1.1.1.1 cve="cve-2018-1111" category=smb
ip=1.1.1.1 category=netbios
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand your data and needs correctly, I think this might get you there:
index=a (sourcetype=asset vulnerabilities>0) OR (sourcetype=vuln ip)
| stats values(host) AS host values(user) AS user values(cve) AS cve BY ip
If that doesn't work, can you share some sample events from each sourcetype and how you'd like them combined (what you'd like the final result to look like)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still not able to get it work, i've added some examples of the logs above.
I would like to create a report that listed all the cves for a hostname with the user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, can you tell me what you get when you run this:
sourcetype=asset OR sourcetype=vuln
stats values(hostname) AS hostname values(user) AS user values(cve) AS cve BY ip
If you can show me what that's giving you and what is wrong with it, I can help you fix it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. It exactly what i need.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
