Splunk Search

How can I see still results from both sourcetypes but only from hosts which have cvs score above 7?

suspense
Explorer

Hello,

Syntax:

 

 

index=security sourcetype=EDR:*  | eval dest=coalesce(ip,ipaddress) | stats values(sourcetype) values(cvs) values(warning) values(operating_system) values(ID) by dest 

 

 

Problem:

sourcetype contains two sourcetypes: EDR:Security EDS:Assets

In Security I have fields ip, cvs, warning
In Assets I have fields ipaddress, operating_system, ID

I use syntax above and I am happy as I see results from both sourcetypes. 
Now I need to see only results that have cvs above 7. 

The problem is that whenever I user cvs>7 or  | search cvs>7 or |where cvs>7 I can see results from EDR:Security (so from sourcetype that I am looking for condition csv>7). 

How can I see still results from both sourcetypes but only from hosts which have cvs score above 7?

Labels (1)
0 Karma
1 Solution

Icecream123
Explorer

Hi,

This query works for me to get all the values of more than 7. I reassign the name of "values(cvs) as cvs" before performing the where command.

index=security sourcetype=EDR:* | eval dest=coalesce(ip,ipaddress) | stats values(sourcetype) as sourcetype values(cvs) as cvs values(warning) as warning values(operating_system) as operating_system values(ID) as ID by dest | where cvs>7

 

These are all the values after the stats.

Icecream123_0-1680598931038.png

 

after |where >7

Icecream123_1-1680599041655.png

 

Hope this was what you were looking to do!

View solution in original post

0 Karma

Icecream123
Explorer

Hi,

This query works for me to get all the values of more than 7. I reassign the name of "values(cvs) as cvs" before performing the where command.

index=security sourcetype=EDR:* | eval dest=coalesce(ip,ipaddress) | stats values(sourcetype) as sourcetype values(cvs) as cvs values(warning) as warning values(operating_system) as operating_system values(ID) as ID by dest | where cvs>7

 

These are all the values after the stats.

Icecream123_0-1680598931038.png

 

after |where >7

Icecream123_1-1680599041655.png

 

Hope this was what you were looking to do!

0 Karma

suspense
Explorer

Oh God! Thanks! That was the case, hah. I forgot to rename them and I put where at the end (which did not work)... Stupid mistake. Thanks again.

0 Karma

Icecream123
Explorer
Glad to help!
0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi @suspense ,

 

I'm not sure I fully understand your request. If you want to show EDR:Security events where cvs > 7 and all EDR:Assets then you can do the following:

 

index=security ( (sourcetype=EDR:Security cvs>7) OR sourcetype=EDR:Assets )
0 Karma

suspense
Explorer

I tried:
((sourcetype=EDR:* AND cvs>7) OR sourcetype=EDR:*). But Even If I change cvs>100 I still get results with everything (all cvs, no matter what number it is... even if it is empty)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=security (sourcetype=EDR:Security AND cvs>7) OR sourcetype=EDR:Assets
| eval dest=coalesce(ip,ipaddress)
| stats values(ip) as ip values(sourcetype) values(cvs) values(warning) values(operating_system) values(ID) by dest 
| where isnotnull(ip)
0 Karma

suspense
Explorer

This is exactly what I tried but I need to see only events where cvs>7 and in the same row, in the same table I need to see data from the other sourcetype (operating_system, etc.). 

I will make visualization. 

My search without conditions:

index=security sourcetype=EDR:*  | eval dest=coalesce(ip,ipaddress) | stats values(sourcetype) values(cvs) values(warning) values(operating_system) values(ID) by dest 

suspense_0-1680599076633.png

Search with OR conditions:

index=security ( (sourcetype=EDR:Security cvs>7) OR sourcetype=EDR:Assets )
suspense_1-1680599155217.png

 

As you can see if condition is met, I get results from one sourcetype only. If conditions are not met, I get all results i one row. I need to have it all - cvs>7, operating_system, ID, etc. in one row.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...