I have a saved search which runs every month and looks at my vulnerability events and outputs the results into a lookup table. I am deduping the "Plugin ID" value so that I am only getting unique vul...
See more...
I have a saved search which runs every month and looks at my vulnerability events and outputs the results into a lookup table. I am deduping the "Plugin ID" value so that I am only getting unique vulnerabilities in my lookup table. I have also added 3 extra columns to the lookup table, but the search results from the saved search will not have these columns . I'm struggling with how to retain the values of those columns while still appending new results to the table. The search below that I have tried, is retaining the extra columns but it is duplicating the results each time the search is run. I've tried not using the append=t with the outputlookup but that just replaces my whole lookup table and deletes the extra columns that I need in there. Is there any other way that I can use outputlookup and retain the extra columns but still deduping the plugin ID? Thank you! | stats values(state) as State, values(severity) as Severity, values(tags) as "Tags", values(plugin.name) as "Plugin Name", values(plugin_publication_date) as "Plugin Publication Date", count by plugin_id
| rename plugin_id as "Plugin ID", count as "Total Hosts" | eval Severity=lower(Severity) | sort num(Severity), -num("Total Hosts")
| inputlookup Vulnerabilities append=t
| dedup "Plugin ID"
| outputlookup Vulnerabilities append=t