Splunk Search

Join field form inputlookup failed

jacortijo
Explorer

Hi, I am getting crazy with a simply JOIN statement to use Tenable data in Splunk.

The goal is to enrich the KV store collection for Tenable.sc asset data with the baseScore of a vulnerability. that information is raw events in a dedicate sourcetype

this query gets a list of plugin_id with the baseScore

 

 

index=nessus sourcetype="tenable:sc:plugin" 
| rename id as plugin_id 
| table plugin_id baseScore

 

 

this query gets a some fields from that tenable KV store

 

 

| inputlookup sc_vuln_data_lookup 
| fields dns_name, first_found, last_found, plugin_id,state 

 

 

When I try to do a join, I simple get no results at all.

 

 

| inputlookup sc_vuln_data_lookup 
| fields dns_name, first_found, last_found, plugin_id,state 
| join plugin_id 
    [ search index=nessus sourcetype="tenable:sc:plugin" 
    | rename id as plugin_id 
    | table plugin_id baseScore]

 

 

I guess it is something simple I am missing but I am not capable to see it.

could anyone point me to the mistake?

many thanks

Labels (1)
0 Karma

to4kawa
Ultra Champion

please check each queries results.
Are there any both plugin_id fields same completely?

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...