Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use search results from one sourcetype search to be included in a second search?

bewald_cfi
New Member
‎06-13-2017 11:09 AM

Good day,
My first search pulls servername and owner from a sourcetype (database). I then need to take the servername, owner, and match that info with the results from a CVE vulnerability search, having the servername as the constant in both searches. I have attempted append, join, and subsearch. I can get results but the owner will not match up with the Host and extracted_Host in a one to one relationship .

Search #1

sourcetype=DB ADM
| dedup host_name
| rex  field=host_name "(?(\w+\-\w+))" 
| stats values(Host) as Host by owner
| where Host != " "

Search #2

sourcetype="CVE" host="VulScanner" (Risk=High OR Risk=Critical)
| eval Time=_time 
| dedup Solution
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(Time) 
| table Time, extracted_Host, Risk, Name, CVE, Solution, "See Also" ]

When I do a join this gives me the owner column, but the two Host and extracted_Host columns do not tie together.
Thank you

0 Karma
Reply

bewald_cfi
New Member
‎06-14-2017 05:22 AM

Somesoni2 - thank you for your help and time. The two sourcetypes do not have an exact value match for everything considered a host, but some are. One sourcetype uses a database, compiled by data sent from a local agent that lives on each server, the other sourcetype uses data received from a Nessus scan. I hope this answers your question. Thanks again!

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-13-2017 12:04 PM

Give this a try

sourcetype="CVE" host="VulScanner" (Risk=High OR Risk=Critical) [search  sourcetype=DB ADM | dedup host_name | rex  field=host_name "(?(\w+\-\w+))" | stats count by owner Host| where Host != " " | table owner Host | rename Host as extracted_Host owner as Name ]
 | eval Time=_time 
 | dedup Solution
 | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(Time) 
 | table Time, extracted_Host, Risk, Name, CVE, Solution, "See Also" ]
0 Karma
Reply

bewald_cfi
New Member
‎06-13-2017 01:00 PM

Unfortunately, the search returns with "No results found".

For
|rex field=host_name "(?(\w+-\w+))
I had to add
"(?(\w+-\w+))"
because it initially gave error = Regex: unmatched parentheses

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-13-2017 01:14 PM

When you post code/query, select whole query and click on "101010" button or Ctrl+K to format. You can see that rex was truncated in the question.

The query assumes that field Host and owner from sourcetype=DB ADM are mapped (exact value match) to the field extracted_Host and Name from sourcetype="CVE" host="VulScanner". Is that correct assumption?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...