Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use search results from one sourcetype search to be included in a second search?

bewald_cfi
New Member
‎06-13-2017 11:09 AM

Good day,
My first search pulls servername and owner from a sourcetype (database). I then need to take the servername, owner, and match that info with the results from a CVE vulnerability search, having the servername as the constant in both searches. I have attempted append, join, and subsearch. I can get results but the owner will not match up with the Host and extracted_Host in a one to one relationship .

Search #1

sourcetype=DB ADM
| dedup host_name
| rex  field=host_name "(?(\w+\-\w+))" 
| stats values(Host) as Host by owner
| where Host != " "

Search #2

sourcetype="CVE" host="VulScanner" (Risk=High OR Risk=Critical)
| eval Time=_time 
| dedup Solution
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(Time) 
| table Time, extracted_Host, Risk, Name, CVE, Solution, "See Also" ]

When I do a join this gives me the owner column, but the two Host and extracted_Host columns do not tie together.
Thank you

0 Karma
Reply

bewald_cfi
New Member
‎06-14-2017 05:22 AM

Somesoni2 - thank you for your help and time. The two sourcetypes do not have an exact value match for everything considered a host, but some are. One sourcetype uses a database, compiled by data sent from a local agent that lives on each server, the other sourcetype uses data received from a Nessus scan. I hope this answers your question. Thanks again!

0 Karma
Reply

somesoni2
Revered Legend
‎06-13-2017 12:04 PM

Give this a try

sourcetype="CVE" host="VulScanner" (Risk=High OR Risk=Critical) [search  sourcetype=DB ADM | dedup host_name | rex  field=host_name "(?(\w+\-\w+))" | stats count by owner Host| where Host != " " | table owner Host | rename Host as extracted_Host owner as Name ]
 | eval Time=_time 
 | dedup Solution
 | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(Time) 
 | table Time, extracted_Host, Risk, Name, CVE, Solution, "See Also" ]
0 Karma
Reply

bewald_cfi
New Member
‎06-13-2017 01:00 PM

Unfortunately, the search returns with "No results found".

For
|rex field=host_name "(?(\w+-\w+))
I had to add
"(?(\w+-\w+))"
because it initially gave error = Regex: unmatched parentheses

0 Karma
Reply

somesoni2
Revered Legend
‎06-13-2017 01:14 PM

When you post code/query, select whole query and click on "101010" button or Ctrl+K to format. You can see that rex was truncated in the question.

The query assumes that field Host and owner from sourcetype=DB ADM are mapped (exact value match) to the field extracted_Host and Name from sourcetype="CVE" host="VulScanner". Is that correct assumption?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...