Thank you, at least I was heading in the right direction. I did make similar changes as with the data model and added index and eventtype, as suggested, to narrow down the data I would be working with.
index=nexpose eventtype=r7vulnerabilitydata| inputlookup append=T vuln_signature_reference
There is data according to this search which I would expect to now be appended to the vuln_signature_reference2.csv according to the transforms.conf but there is no data written to the file.
transforms.conf
[vuln_signature_reference]
filename = vuln_signature_reference2.csv
Perhaps my understanding of the macros.conf and transforms.conf, in this case, needs to be corrected?
macros.conf
Vulnerability Signature Reference
[get_vuln_signature_reference]
definition = lookup local=true vuln_signature_reference signature OUTPUTNEW cve,bugtraq,cert,msft,mskb,xref | makemv(cve) | makemv(bugtraq) | makemv(cert) | makemv(msft) | makemv(mskb) | makemv(xref) | fillnull value="" cve,bugtraq,cert,msft,mskb,xref
[vuln_signature_reference]
definition = inputlookup append=T vuln_signature_reference
Thanks again.
... View more