Solved: Re: concatene 2 similar search

jip31 · ‎07-27-2018

hi

i try to concatene 2 similar query

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
| stats first(data) as PatchLevel by host
]


| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 

| stats first(data) as WindowsVersion by host
]

i m doing something like this but it doesnt works

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
OR
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 
|stats first(data) as PatchLevel by host, first(data) as WindowsVersion by host]

somesoni2 · ‎08-02-2018

Try like this

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
 OR
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 
 | rex field=key_path "(?<type>\w+)$" | chart first(data) by host type]

View solution in original post

somesoni2 · ‎08-02-2018

Try like this

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
 OR
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 
 | rex field=key_path "(?<type>\w+)$" | chart first(data) by host type]

jip31 · ‎08-05-2018

Hi and thanks
it works for these 2 key path
BUT
I need to add o ne key and i done this
| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry
key_path="\registry\machine\software\wow6432node\xx\master\PatchLevel"
OR
key_path="\registry\machine\software\wow6432node\xx\master\WindowsVersion"
OR
key_path="\registry\machine\software\microsoft\windows nt\currentversion\ReleaseId"
| rex field=key_path "(?\w+)$" | chart first(data) by host type]

But i have no data for ReleaseID
Other questions :
what is the reason why you user "rex" and "chart"?
thanks

jip31 · ‎08-05-2018

oh i found for the 3 key 😉
so just tell me please what is the reason why you user "rex" and "chart"?
thanks

Shan · ‎07-27-2018

@jip31,

Try something like this ..

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
 key_path="\\registry\\machine\\software\\wow6432node\\airbus\\master\\PatchLevel" 
 OR
 key_path="\\registry\\machine\\software\\wow6432node\\airbus\\master\\WindowsVersion" 
 |stats first(data) as PatchLevel , first(data) as WindowsVersion by host,data]

jip31 · ‎08-01-2018

hello
nobody for helping me please??

jip31 · ‎08-01-2018

something like this??

join type=outer host [append [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\PatchLevel" 
 OR   key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion" 
  |stats first(data) as PatchLevel , first(data) as WindowsVersion by host,data

jip31 · ‎08-02-2018

In fact my main question is To know how to use append with a jointure field (host in my example)?

jip31 · ‎07-27-2018

it doesnt works

jip31 · ‎07-27-2018

please modify the key like in your answer :
\registry\machine\software\wow6432node\*XX*\master\PatchLevel"

concatene 2 similar search

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?