Splunk Search

Using join to show fields for two sourcetypes in one table, why are some fields empty?

mdorobek
Path Finder

Hi,

I need to show fields for two sourcetypes in one table. Those two sourcetypes have the same ID field: "plugin_id" and "id". For this reason, I tried to join them with the following search:

...|rename plugin_id as id| table id, host-fqdn, hostname, severity | join id type=left [search index=nessus sourcetype="nessus:plugin"| table id, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor] | table host-fqdn, hostname, severity, id, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor

The failure is that some fields in the Table are just empty.

1 Solution

rschoensee
Explorer

To better understand this particular Question it is important that it reflects on the intended usage of TA-Nessus.

The Sourcetype nessus:plugin is primarily used to create and maintain several lookup-files with included saved searches. Those searches are not scheduled by default and can be run manually or scheduled as needed.

All requested fields are automatically enriched via lookups to nessus:scan events, if the lookup-files are created or maintained.

So my answer to this question is to run and/or schedule the included saved searches of TA-Nessus and all needed fields will be accessible for nessus:scan events without further Searches using Join.

View solution in original post

rschoensee
Explorer

To better understand this particular Question it is important that it reflects on the intended usage of TA-Nessus.

The Sourcetype nessus:plugin is primarily used to create and maintain several lookup-files with included saved searches. Those searches are not scheduled by default and can be run manually or scheduled as needed.

All requested fields are automatically enriched via lookups to nessus:scan events, if the lookup-files are created or maintained.

So my answer to this question is to run and/or schedule the included saved searches of TA-Nessus and all needed fields will be accessible for nessus:scan events without further Searches using Join.

sundareshr
Legend

Try this

(index=foo sourcetype=bar) or (index=nessus sourcetype="nessus:plugin") | eval eid=coalesce(id, plugin_id) | fields host-fqdn, hostname, severity, eid, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor | stats values(*) as * by host-fqdn eid | table host-fqdn, hostname, severity, id, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor

mdorobek
Path Finder

Thank you, but this doesn't work eighter. The fields cvss_base_score, description, exploit_available, exploitability_ease, family_name and risk_factor are still empty

0 Karma

mdorobek
Path Finder

The fields are getting created and I can display those fields in the table. As soon as I use one of the fields "host-fqdn, hostname, severity, id, cvss_base_score, description or plugin_name", the fields "cvss_base_score, description, exploit_available, exploitability_ease and family_name" wont be displayed.

0 Karma

sundareshr
Legend

What do you get when you run this

(index=foo sourcetype=bar) or (index=nessus sourcetype="nessus:plugin") | eval eid=coalesce(id, plugin_id) | table host-fqdn, hostname, severity, eid, cvss_base_score, description, exploit_available, exploitability_ease, family_name, plugin_name, risk_factor
0 Karma

Raghav2384
Motivator

try appendcols

Example sourcetype=abc|table x,y,z,id|appendcols [search sourcetype=def|blah blah|fields id]

Hope this helps,

Thanks,
Raghav

0 Karma

mdorobek
Path Finder

Thank you, but I still have got the same problem.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...