Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare these two CSV files?

Rithekakan
Path Finder
‎02-10-2022 08:52 AM

I have reports Quarter1.csv and Quarter2.csv.
after I upload these two  csv report I got 

host="***" source="****"  sourcetype="***" and those fields  IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin.

I want 3 reports base on joining  with these 6 files: 

IP_Address, Plugin_Name, Severity, Protocol, Port, Exploit,
| table IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin, status

First report: - if the event are in  Quarter1.csv and Quarter2.csv. show status as "Active Vulnerability"

Second report:- if the event are in  Quarter1.csv but not in Quarter2.csv. show status as "Fixed"

Third​ report:- if the event are  not in  Quarter1.csv but there are   in Quarter2.csv. show status as "New Active Vulnerability"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-10-2022 07:22 PM

I assume that you ingested these files as events, not upload as CSV lookups, i.e., respective contents can be accessed with source=Quarter1.csv and source=Quarter2.csv.  You can do something like

| fields IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin source
| stats values(*) as * by Plugin,IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit
| eval status = case(mvcount(source)>1,"Active Vulnerability", source=="Quarter1.csv","Fixed", true(), "New Active Vulnerability")

  

View solution in original post

Reply
Solved! Jump to solution

Rithekakan
Path Finder
‎02-19-2022 08:51 PM

Hi PickleRick, Thanks for your query, It help me for my report, but something is missing.

I want a report with these fields.
| table IP_Address, device, Plugin_Name, Severity, model, Protocol, Port, Exploit, Synopsis, Description, Solution, See_Also, CVSS_V2_Base_Score, CVE,Plugin

with join only 6 fields in the | stats sum " IP_Address,Plugin_Name,Plugin,Severity,Protocol,Port. "

| stats sum(picker) as.....


How eve if I add all 13 fields in the | stats sum(picker)as ..........It provide the uncorrected report becuse of some fields have duplicate data.
Note: There are two even (device and model) are lookup from other Inventory CSV file.

Could you pls help with this reequipment? I will be appreciate for your help.

Regards,
Ritheka Kan 

 

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-10-2022 07:22 PM

I assume that you ingested these files as events, not upload as CSV lookups, i.e., respective contents can be accessed with source=Quarter1.csv and source=Quarter2.csv.  You can do something like

| fields IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin source
| stats values(*) as * by Plugin,IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit
| eval status = case(mvcount(source)>1,"Active Vulnerability", source=="Quarter1.csv","Fixed", true(), "New Active Vulnerability")

  

Reply
Solved! Jump to solution

Rithekakan
Path Finder
‎02-11-2022 03:21 PM

Hi yuanliu , I appreciate your helpful Splunk query. It is 100% correct and fit my query. Thanks for your help.

Regards,

Rithekakan

Reply
Solved! Jump to solution

Rithekakan
Path Finder
‎02-19-2022 09:09 PM

Hi yuanliu , I 've reply to accept your query in the previous time. It is 100% correct.
How ever the management needs two more fields (device, model) which it is lookup from the CVS inventory file.
and the report is something look like this.
| table IP_Address, device, Plugin_Name, Plugin, Severity, model, Protocol, Port, Exploit, Synopsis, Description, Solution, See_Also, CVSS_V2_Base_Score, CVE, 

Could you pls help me  edit your query you've provided to  make it work with the lookup CSV file.

I have this lookup fils.
| lookup ABLNInventory.csv ip_address as IP_Address output device, model
| table IP_Address, device, Plugin_Name, Severity, model, Protocol, Port, Exploit, Synopsis, Description, Solution, See_Also, CVSS_V2_Base_Score, CVE, Plugin

I will appreciate for your help.
Best regards,
Ritheka Kan

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎02-20-2022 12:12 AM

The way I see it, device and model are not used as criteria.  So, simply add it.

| fields IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin source
| stats values(*) as * by Plugin,IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit
| eval status = case(mvcount(source)>1,"Active Vulnerability", source=="Quarter1.csv","Fixed", true(), "New Active Vulnerability")
| lookup ABLNInventory.csv ip_address as IP_Address output device, model

After this, you can arrange the table however you like. 

Reply
Solved! Jump to solution

Rithekakan
Path Finder
‎02-21-2022 07:17 AM

Hi yuanliu,

I got it now. Thanks for your solution.

Regards,

Ritheka Kan

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎02-10-2022 11:25 PM

With two data sets to compare I prefer the "summing" approach.

sourcetype=A OR sourcetype=B
| eval picker=if(sourcetype="A",1,2)
| stats sum(picker) as picker by whatever fields you need
| eval status=case(picker=1,"only A",picker=2,"only B",picker=3,"both",1=1,"something wrong")

Yes, I know OP wanted three separate reports, but that's the general approach.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...