How to write a search to extract the host and host...

tmaltizo · ‎02-17-2016

I need to search on hosts from two different sourcetypes where they both have a "description" field but the value sets are different depending on the sourcetype.

Sourcetype 1 (fs_av_compliance)
hostname
description (ie, Workstation Symantec AV Running, Server Symantec AV running, etc.)

Sourcetype 2 (fs_DLP_compliance)
hostname
description (ie, DLP Not installed, Symantec DLP installed and running, etc.)

I need to grab the hostname from Sourcetype 2 (fs_DLP_compliance) and where it exists in Sourcetype 1 (fs_av_compliance), I need to pull the description.

In the end I need something like the following:
hostname (from both sourcetypes); description (sourcetype 1)
ABCDEFG1234; Workstation Symantec AV Running

Any assistance with the most efficient search is appreciated!

somesoni2 · ‎02-17-2016

Try something like this

(sourcetype=fs_av_compliance) OR (sourcetype=fs_DLP_compliance) | fields hostname description | chart values(description) over hostname by sourcetype | table hostname fs_DLP_compliance | rename fs_DLP_compliance as description

Update#1
Alternatively, try this (using hostname from sourcetype=fs_av_compliance as filter for sourcetype=fs_DLP_compliance so that only matching hostnames are selected)

sourcetype=fs_DLP_compliance [search sourcetype=fs_av_compliance | stats count by hostname | table hostname ] | table hostname description

Update#2

Try this

(sourcetype=fs_av_compliance) OR (sourcetype=fs_DLP_compliance) | fields hostname description | chart values(description) over hostname by sourcetype | table hostname fs_av_compliance fs_DLP_compliance | where isnotnull(fs_av_compliance) AND isnotnull(fs_DLP_compliance)

THis will give you description from both the sourcetypes in the column with same name as sourcetypes. You can rename it as per you need.

tmaltizo · ‎02-17-2016

Hi @somesoni2

When I run the table command "table hostname fs_DLP_compliance" nothing is returned for fs_DLP_compliance. I'm not sure what is expected....just those values for that particular sourcetype?

If it helps, after the chart command, I get the following result:

hostname; NULL
ABCDEFG1234;

tmaltizo · ‎02-17-2016

Sorry...this is the result I get after the chart command....

hostname; NULL
ABCDEFG1234;
Symantec DLP installed and running
Workstation Symantec AV Running, But Defs older than 3 weeks

somesoni2 · ‎02-17-2016

Can you provide your full search? After chart command (ignore table and rename), your should get a column for hostname and two column one for each sourcetype mentioned in the base search. Just want to ensure that the sourcetype name doesn't contain any special chart which we need to take care in subsequent commands.

tmaltizo · ‎05-04-2016

Sorry for the delay in responding....getting back to this again.

After the chart command, I do get the host name and one or more values for the description (heading label is "NULL").

hostname
ABCDEFG1234

NULL (which is the description values pulled from each sourcetype)
Symantec DLP installed and running (which is coming from the fs_DLP_compliance sourcetype)
Workstation Symantec AV Running, But Defs older than 3 weeks (from the fs_AV_compliance sourcetype)

I'm not able to copy a screenshot of it here for visual, so hope that helps.

How can I table it so that it's clear which sourcetype the description is from? My goal is to pull all the possible description values, for the matching host, from the fs_AV_compliance sourcetype.

Thanks for your help!

How to write a search to extract the host and host type from two different sourcetypes in Forescout?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!