I have vulnerability detection in Splunk where there is the possibility of duplicate QID, IP and PORT, so I run a search string to dedup QID IP PORT however it doesn't give me the values I want because some detection don't have a PORT associated.
I try to add ... | fillnull PORT | dedup QID IP PORT | ... however the result is the same as when I don't do a dedup and I know for sure there are detection with all three as it's creating the descripances with the result we get from the Vulnerability scanner itself.
How else can I make this work?
Give this a try
your base search | eval PORT=coalesce(PORT,"NA") | dedup QID IP PORT
No luck, still not working. Any other ideas?
How about this
your base search | eventstats values(PORT) as port by QID IP | eval PORT=coalesce(PORT,port ) | dedup QID IP PORT