How to compare single value field from index 1 wit...

Navanitha · ‎08-30-2019

Hi,

I am trying to correlate two security indexes and display the output. Index 1 has a CVE_Id and index 2 also has "cve" id but it has multiple values in the same event which are comma separated. Can someone help me write a search query to join these two indexes with CVE as common field. for ex: index 1 has CVE_ID="xyz" and index 2 has cve=xyz, abc, efg, jkl. making cve as common field I want to compare these two indexes and display fields CVE, signature, title.

Thank you

mayurr98 · ‎08-30-2019

Try this :

index=index1 OR index=index2 
| makemv cve delim="," 
| mvexpand cve 
| eval CVE=coalesce(CVE_ID,cve) 
| stats values(title) as Title values(signature) as Signature by CVE

solarboyz1 · ‎08-30-2019

How about the following:

   (index=1 OR index=2) 
  | eval cve=if(isnotnull(cve), cve, CVE_ID)
  | mvexpand cve
  | stats values(title), values(signature) by cve

Sukisen1981 · ‎08-30-2019

something like this:

(index=1 OR index=2)|stats values(cve_id) as cve_id by index | mvexpand cve_id|eventstats count as count_cve by cve_id|where count_cve>1

assumption - cve_id name is common in both indexes, if not rename in one index and make it common

How to compare single value field from index 1 with that of multivalue field in index 2 and display the results?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms