Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Several searches on one table

rachelei
Loves-to-Learn Lots
‎06-21-2021 01:58 AM

I'm trying to take the results of 2 different searches in the same index and display them on one table, I tried to use with the 'append' function to combine two searches, but the search takes a long time, do you have another solution?
Any help on this would be appreciated.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-06-2021 12:14 AM

@rachelei 

sample _raw from base search of both searches. Screenshot will not help us to reproduce the issue.

_raw means this. just use </> from toolbar to keep it clear.

{"body":{"records": {"time": "2020-12-20T13:28:50.2164144Z","MachineGroup": "Windows 10", "Timestamp": "2020-12-20T13:27:18.6679858Z", "DeviceName": "3242d4e4.dc.democorp.com", "ReportId": 306737}}}

 

2-3 events from each base search will help to revert you back.

KV

0 Karma
Reply

rachelei
Loves-to-Learn Lots
‎07-11-2021 06:00 AM

Please refer to the raw examples below, I hope this is what you meant:


Query #1:

  • _raw = "","","public_ip","owner","os","os_version ","","False","True","False","","","","","","","","","","","","","443###1720###5060","","date","vulnerable","finding_date","type","","False","0","0","2019-04-25 00:00:00","2007-08-03 00:00:00","823.15","severity ","vulnerability_score","vulnerability_ description ","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","",""
  • _raw = "","host"," public_ip "," owner ","","","","","","cve","cvss","cve_status","443###1720###5060","","date","status","finding date","type”,False###False###False###False###False###False","0###0###0###0###0###0","0###0###0###0###0###0","2019-04-25 00:00:00","822.77###536.03###447.98###182.94###483.61###456.55","severity","vulnerability_score ","vulnerability_description","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","",""

Query #2:

  • _raw = "public_ip ","","","","","","","True","False","False","zone","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","domain","TCP","2021-03-21 21:39:59","B","domain","","date","vulnerability","","vulnerability_description","severity"
  • _raw = "public_ip ","","","","","os","","","","","zone","443","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","domain","TCP###TCP###TCP","date”,C###C###C","domain","######","2021-05-29 12:00:00###2021-05-29 12:00:00###2021-05-29 12:00:00","vulnerability","######","vulnerability_description","severity"

Thanks!

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-21-2021 02:00 AM

can you pls share your sample searches?

 

0 Karma
Reply

rachelei
Loves-to-Learn Lots
‎06-22-2021 12:39 AM

These are the queries:

Query 1:
...
| eval op=mvzip(mvzip(mvzip(open_port, nexpose_port,"###"),shodan_port, "###"), digital_shadows_port, "###")
| eval Severity=mvzip(mvzip(mvzip(mvzip(nexpose_severity , panorays_severity ,"###"),shodan_severity, "###"),digital_shadows_info_severity,"###"),digital_shadows_sock_severity,"###")
| eval vulns=mvzip(mvzip(mvzip(mvzip(nexpose, Panorays, "###"),Shodan,"###"),Digital_Shadows_info,"###"),Digital_Shadows_sock,"###")
| eval Status=mvzip(mvzip(mvzip(mvzip(nexpose_severity , panorays_status ,"###"),shodan_severity, "###"),digital_shadows_info_severity,"###"),digital_shadows_sock_severity,"###")
| fillnull Status Severity vulns op value=""

| makemv vulns delim="###"
| makemv Severity delim="###"
| makemv Status delim="###"
| eval field3=mvzip(mvzip(vulns,Severity, "@@@"), Status, "@@@")
| makemv op delim="###"
| eval op=mvdedup(op)
| eval field3=mvappend(field3,op)

| eval "Finding Date"=_time
| fillnull value="Unknown" field3 Public_IP "Asset Name" Organization Source "Finding Date" Panorays Shodan nexpose Digital_Shadows_info Digital_Shadows_sock Owner OS "Full OS String"
| stats min("Finding Date") as "Finding Date" by field3 Public_IP "Asset Name" Organization Source Panorays Shodan nexpose Digital_Shadows_info Digital_Shadows_sock Owner OS "Full OS String"
| fields - count
| rex field=field3 "(?<vuln>[^\r]+)\@@@(?<Sev>[^\,]+)\@@@(?<status>[^\,]+)"
| eval vuln=if(isnull(vuln),'field3','vuln')
| eval Sev=case(Sev="" OR isnull(Sev), "HIGH", true(), 'Sev')
.....
| rename Sev as Severity vuln as "Vulnerability Description"
| dedup "Asset Name" "Public_IP" "Vulnerability Description"
| convert ctime("Finding Date") as "Finding Date" timeformat="%m/%d/%Y"
| table Public_IP "Asset Name" "Full OS String" Organization "Vulnerability Type" "Vulnerability Description" Severity Source "Finding Date"

Query 2:

....
| eval Public_IP=coalesce('Public IP', 'Public_IP')
| eval Owner=coalesce('Owner', 'Confirmed Owner')
| eval "Asset Name"=coalesce(coalesce('Asset_name', 'Host_Name') , 'Domain Name')
| eval "Asset Name"=if('Asset Name'="", "None", 'Asset Name')
| eval Status=if(isnull('Status'), "Not Communicated Yet", 'Status')

| eval op=mvzip(mvzip(mvzip(open_port, nexpose_port,"###"),shodan_port, "###"), digital_shadows_port, "###")
| eval Severity=mvzip(mvzip(mvzip(mvzip(nexpose_severity , panorays_severity ,"###"),shodan_severity, "###"),digital_shadows_info_severity,"###"),digital_shadows_sock_severity,"###")
| eval vulns=mvzip(mvzip(mvzip(mvzip(nexpose, Panorays, "###"),Shodan,"###"),Digital_Shadows_info,"###"),Digital_Shadows_sock,"###")
| eval status=mvzip(mvzip(mvzip(mvzip(nexpose_severity , panorays_status ,"###"),shodan_severity, "###"),digital_shadows_info_severity,"###"),digital_shadows_sock_severity,"###")
| fillnull status Severity vulns op value=""

| makemv vulns delim="###"
| makemv Severity delim="###"
| makemv status delim="###"
| eval field1=mvzip(mvzip(vulns,Severity, "@@@"), status, "@@@")

| makemv op delim="###"
| eval op=mvdedup(op)
| eval field1=mvappend(field1,op)

| eval "Finding_Date"=_time
| convert ctime("Finding_Date") as "Finding_Date" timeformat="%Y-%m-%d"
| eval "Finding Date"=if(isnull('Finding Date'), 'Finding_Date', 'Finding Date')

| fillnull value="Unknown" field1 Public_IP "Asset Name" Organization Source "Finding Date" Panorays Shodan nexpose Digital_Shadows_info Digital_Shadows_sock Owner Description extracted_Source OS Title
| stats min("Finding Date") as "Finding Date" by field3 Public_IP "Asset Name" Organization Status Source Panorays Shodan nexpose Digital_Shadows_info Digital_Shadows_sock Owner Description extracted_Source Score source OS Title
| fields - count
| eval field1=if('field1'="Unknown", 'Description','field1')
| rex field=field1 "(?<vuln>[^\r]+)\@@@(?<Sev>[^\,]+)\@@@(?<status>[^\,]+)"
| eval vuln=if(isnull(vuln),'field1','vuln')
.....
| eventstats count by "Public_IP" Organization , "Vulnerability Description" Severity
| where (count="1" OR (count>"1" AND 'Asset Name'!="None"))
| table Public_IP "Asset Name" "Full OS String" Organization "Vulnerability Type" "Vulnerability Description" Severity Source "Finding Date"

I would like to combine the results of these 2 queries into one table.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-22-2021 10:14 AM

@rachelei 

Did you tried this?

QUERY_ONE
| append [search QUERY_TWO]

 

KV 

0 Karma
Reply

rachelei
Loves-to-Learn Lots
‎06-22-2021 11:03 AM

I tried this function, but it takes a long time, do you have another option?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-22-2021 09:27 PM

Can you please share some sample _raw events from Query 1 and Query 2?

0 Karma
Reply

rachelei
Loves-to-Learn Lots
‎06-23-2021 03:34 AM

Some examples of events from Query 1:

rachelei_0-1624444466507.png

Some examples of events from Query 2:

rachelei_1-1624444479336.png

 

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-23-2021 03:42 AM

@rachelei 

I'm expected _raw instead table format.  It will help me to combine both search.

KV 

 

0 Karma
Reply

rachelei
Loves-to-Learn Lots
‎06-28-2021 07:06 AM

Sorry but I can't share the values with you. 
This is a an example of one raw event of query #1:  

rachelei_0-1624888719449.png

This is an example of raw event of query #2: 

rachelei_1-1624888921260.png

I hope this is what you meant. 

Thanks a lot. 

0 Karma
Reply

rachelei
Loves-to-Learn Lots
‎07-04-2021 03:39 AM

Do you have any idea?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...