Hello,
I have been banging my head on a problem. What I am trying to do is run a first query to get a list of assets, then with that list I want to update my kv store. I can do what I want in two separate searches but when I combine them it does not work. I have tried using append, join, and just stringing them together but nothing works yet. My latest attempt was with join.
sourcetype="asset-info" | eval nowfield=now() | eval diff = ( nowfield-1814400) |
convert timeformat="%Y-%m-%dT%H:%M:%S.%9NZ" mktime(last_found) as new_epoch | eval last_scanned=substr(new_epoch,1,10) | where last_scanned < diff | eval vuln_last_found=substr(last_found,1,10) | eval target_id = dns_name
| join type=inner max=0 target_id
[
| inputlookup kvstore_db | where fqdn=target_id AND state!="closed" | eval key=_key | eval state="oct7" | outputlookup kvstore_db append=True
]
The first half is the first search that gets the list of assets (target_id), then I filter on that with the kvstore lookup (kvstore_db) , fallowed by the outputlookup to actually update the (state) field with the value "oct7". This basically works as is if I run the two searches independently, but when I put them together (which is what I need) is does work. I am hoping someone can help.
Thanks,
Joe
