Splunk Search

Join field form inputlookup failed

jacortijo
Explorer

Hi, I am getting crazy with a simply JOIN statement to use Tenable data in Splunk.

The goal is to enrich the KV store collection for Tenable.sc asset data with the baseScore of a vulnerability. that information is raw events in a dedicate sourcetype

this query gets a list of plugin_id with the baseScore

 

 

index=nessus sourcetype="tenable:sc:plugin" 
| rename id as plugin_id 
| table plugin_id baseScore

 

 

this query gets a some fields from that tenable KV store

 

 

| inputlookup sc_vuln_data_lookup 
| fields dns_name, first_found, last_found, plugin_id,state 

 

 

When I try to do a join, I simple get no results at all.

 

 

| inputlookup sc_vuln_data_lookup 
| fields dns_name, first_found, last_found, plugin_id,state 
| join plugin_id 
    [ search index=nessus sourcetype="tenable:sc:plugin" 
    | rename id as plugin_id 
    | table plugin_id baseScore]

 

 

I guess it is something simple I am missing but I am not capable to see it.

could anyone point me to the mistake?

many thanks

Labels (1)
0 Karma

to4kawa
Ultra Champion

please check each queries results.
Are there any both plugin_id fields same completely?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...

Build and Launch AI Agents from Your Splunk Workflows

  Register We’ve all been there: juggling alerts, runbooks, and endless manual searches. What if you could ...

Splunk Cloud Application Management in Terraform

Register   On Tuesday, August 4 at 11AM PDT / 2PM EDT, we’re diving into how you can bring Infrastructure as ...