Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I see still results from both sourcetypes but only from hosts which have cvs score above 7?

suspense
Explorer
‎04-04-2023 01:18 AM

Hello,

Syntax:

 

 

index=security sourcetype=EDR:*  | eval dest=coalesce(ip,ipaddress) | stats values(sourcetype) values(cvs) values(warning) values(operating_system) values(ID) by dest

 

 

Problem:

sourcetype contains two sourcetypes: EDR:Security EDS:Assets

In Security I have fields ip, cvs, warning
In Assets I have fields ipaddress, operating_system, ID

I use syntax above and I am happy as I see results from both sourcetypes. 
Now I need to see only results that have cvs above 7. 

The problem is that whenever I user cvs>7 or  | search cvs>7 or |where cvs>7 I can see results from EDR:Security (so from sourcetype that I am looking for condition csv>7). 

How can I see still results from both sourcetypes but only from hosts which have cvs score above 7?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Icecream123
Explorer
‎04-04-2023 02:05 AM

Hi,

This query works for me to get all the values of more than 7. I reassign the name of "values(cvs) as cvs" before performing the where command.

index=security sourcetype=EDR:* | eval dest=coalesce(ip,ipaddress) | stats values(sourcetype) as sourcetype values(cvs) as cvs values(warning) as warning values(operating_system) as operating_system values(ID) as ID by dest | where cvs>7

 

These are all the values after the stats.

Icecream123_0-1680598931038.png

 

after |where >7

Icecream123_1-1680599041655.png

 

Hope this was what you were looking to do!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Icecream123
Explorer
‎04-04-2023 02:05 AM

Hi,

This query works for me to get all the values of more than 7. I reassign the name of "values(cvs) as cvs" before performing the where command.

index=security sourcetype=EDR:* | eval dest=coalesce(ip,ipaddress) | stats values(sourcetype) as sourcetype values(cvs) as cvs values(warning) as warning values(operating_system) as operating_system values(ID) as ID by dest | where cvs>7

 

These are all the values after the stats.

Icecream123_0-1680598931038.png

 

after |where >7

Icecream123_1-1680599041655.png

 

Hope this was what you were looking to do!

0 Karma
Reply
Solved! Jump to solution

suspense
Explorer
‎04-04-2023 02:10 AM

Oh God! Thanks! That was the case, hah. I forgot to rename them and I put where at the end (which did not work)... Stupid mistake. Thanks again.

0 Karma
Reply
Solved! Jump to solution

Icecream123
Explorer
‎04-04-2023 02:11 AM
Glad to help!
0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-04-2023 01:45 AM

Hi @suspense ,

 

I'm not sure I fully understand your request. If you want to show EDR:Security events where cvs > 7 and all EDR:Assets then you can do the following:

 

index=security ( (sourcetype=EDR:Security cvs>7) OR sourcetype=EDR:Assets )
0 Karma
Reply
Solved! Jump to solution

suspense
Explorer
‎04-04-2023 01:24 AM

I tried:
((sourcetype=EDR:* AND cvs>7) OR sourcetype=EDR:*). But Even If I change cvs>100 I still get results with everything (all cvs, no matter what number it is... even if it is empty)

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2023 01:42 AM

Try something like this

index=security (sourcetype=EDR:Security AND cvs>7) OR sourcetype=EDR:Assets
| eval dest=coalesce(ip,ipaddress)
| stats values(ip) as ip values(sourcetype) values(cvs) values(warning) values(operating_system) values(ID) by dest 
| where isnotnull(ip)
0 Karma
Reply
Solved! Jump to solution

suspense
Explorer
‎04-04-2023 02:06 AM

This is exactly what I tried but I need to see only events where cvs>7 and in the same row, in the same table I need to see data from the other sourcetype (operating_system, etc.). 

I will make visualization. 

My search without conditions:

index=security sourcetype=EDR:*  | eval dest=coalesce(ip,ipaddress) | stats values(sourcetype) values(cvs) values(warning) values(operating_system) values(ID) by dest

suspense_0-1680599076633.png

Search with OR conditions:

index=security ( (sourcetype=EDR:Security cvs>7) OR sourcetype=EDR:Assets )
suspense_1-1680599155217.png

 

As you can see if condition is met, I get results from one sourcetype only. If conditions are not met, I get all results i one row. I need to have it all - cvs>7, operating_system, ID, etc. in one row.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...