Join field form inputlookup failed

jacortijo · ‎12-03-2020

Hi, I am getting crazy with a simply JOIN statement to use Tenable data in Splunk.

The goal is to enrich the KV store collection for Tenable.sc asset data with the baseScore of a vulnerability. that information is raw events in a dedicate sourcetype

this query gets a list of plugin_id with the baseScore

index=nessus sourcetype="tenable:sc:plugin" 
| rename id as plugin_id 
| table plugin_id baseScore

this query gets a some fields from that tenable KV store

| inputlookup sc_vuln_data_lookup 
| fields dns_name, first_found, last_found, plugin_id,state

When I try to do a join, I simple get no results at all.

| inputlookup sc_vuln_data_lookup 
| fields dns_name, first_found, last_found, plugin_id,state 
| join plugin_id 
    [ search index=nessus sourcetype="tenable:sc:plugin" 
    | rename id as plugin_id 
    | table plugin_id baseScore]

I guess it is something simple I am missing but I am not capable to see it.

could anyone point me to the mistake?

many thanks

to4kawa · ‎12-04-2020

please check each queries results.
Are there any both plugin_id fields same completely?

Join field form inputlookup failed

join

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

Join field form inputlookup failed

join

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console