Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Consolidate data in table using Dedup command

neerajs_81
Builder
‎12-29-2021 11:43 PM

Hello,  
I am using the below query to output which of our Searches/Rules are mapped to which Mitre Technique IDs.

 

| inputlookup mitre_all_rule_technique_lookup 
| `lookup_technique_tactic_from_rule_name`
| search rule_disabled=0
| dedup rule_name, technique_id, rule_disabled

 

The Result is as follows:

rule_nametactic_IDtactic_nameTechnique_IDTecnique_name
Rule001TA001PersistenceT1136Create Account
Rule001TA002PersistenceT1098Account Manipulation
Rule001TA008Defense EvasionTxxxxModify infrastructrue

 

As you can see ,  it is showing different entries for  the same data in the "rule_name" column .   The Rule mentioned in the Rule_name column is mapped to 3 different Tactic_ID ,Technique_IDs etc which is why  it shows 3 results for the same rule.  How can i consolidate all this ?

Basically this is the output i want :

rule_nametactic_IDtactic_nameTechnique_IDTechnique_name
Rule001TA001
TA002
TA008		Persistence
Persistence
Defense Evasion		T1136
T1098
TXXXX		Create Account
Account Manipulation
Modify infrastructure
Rule002TAxxx
TAXXX		...............
     


If i change my dedup command in the query  to:   | dedup rule_name  ,  then it displays only the 1st row  of every rule_name and omits the remaining values.

Pls advise. I am sure this is something very fundamental.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-29-2021 11:49 PM

Hi @neerajs_81,

did you tried to use the stats command?

something like this:

| inputlookup mitre_all_rule_technique_lookup 
| `lookup_technique_tactic_from_rule_name`
| search rule_disabled=0
| stats 
   values(tactic_ID) AS tactic_ID 
   values(tactic_name) AS tactic_name 
   values(Technique_ID) AS Technique_ID 
   values(Tecnique_name) AS Tecnique_name 
   BY rule_name

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-29-2021 11:49 PM

Hi @neerajs_81,

did you tried to use the stats command?

something like this:

| inputlookup mitre_all_rule_technique_lookup 
| `lookup_technique_tactic_from_rule_name`
| search rule_disabled=0
| stats 
   values(tactic_ID) AS tactic_ID 
   values(tactic_name) AS tactic_name 
   values(Technique_ID) AS Technique_ID 
   values(Tecnique_name) AS Tecnique_name 
   BY rule_name

Ciao.

Giuseppe

Reply
Solved! Jump to solution

neerajs_81
Builder
‎12-29-2021 11:52 PM

Thank you very much. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-29-2021 11:56 PM

Hi @neerajs_81,

good for you, see next time.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...