Splunk Search

show only infected with vulnerability on 1 machine

xavierpaul
New Member

hi,

I am a newbie in splunk

I have this one use case I am trying. search for a machine that have malware infection AND it has a vulnerability. anyone can give me pointers the best search to do it?

(sourcetype="vulnscan" severity=critical) OR sourcetype="avscan" | table av_threatname severity hostname | eval infectedandvulnerable=coalesce(av_threatname,severity)

Tags (1)
0 Karma

DMohn
Motivator

You have to use two searches and join the results of them.

Assuming your individual sourcetypes have the hostname field in common (you have to have one common field in both searches, otherwise you will have to evalthem to be identical) you may use this search:

 sourcetype=vulnscan severity=critical | table hostname | join hostname [search sourcetype=avscan] 

For more info on the join command, check => http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...