Hello again! I'm working with two different sources of data both tracking the same thing but coming from different sources. I need to consolidate them into one single Splunk search, so I decided to turn one of the two sources of data into a lookup table for the other. Right now the lookup table I'm using has 3 Fields in it: HostName, Domain, and Tanium. What I'd like to do is load the 3 fields from this Lookup into my Splunk Search so that: 1) the HostName field from the lookup is merged with the HostName field in the search, with unique HostName values from the search and the lookup both available in the final output, but also that if there's duplicate values for HostName, they're merged together. 2) The Domain and Tanium values from the Lookup are loaded into their corresponding entries in the final output. Is this possible? I believe it should be if I use the command: | lookup WinrarTaniumLookup.csv HostName OUTPUT Tanium Domain But when I put in that command it doesn't appear to be adding any unique HostName values from the Lookup, just merging the HostName values that both the lookup and the search share.  What am I doing wrong here? ... View more

Hello! I'm working on a Rex Expression for my job, and wanted to ask for some assistance in developing it. I'm supposed to make a rex expression to pull out the "Fixed version" of a piece of software out of a field called "pluginText". Right now the problem is the Rex expression I've made only works half the time. My Rex expression is currently:  | rex field=pluginText max_match=0 "\s+Fixed version\s+:\s+(?<FixedVersion>.+)"\n Here are some relevant examples of the sorts of data I'm working with: <plugin_output>    Path        : C:\Program Files\VMware\VMware Tools\VMware VGAuth\libssl-3-x64.dll    Reported version : 3.0.3.0    Fixed version : 3.0.4</plugin_output> and <plugin_output>    Path : C:\myPrograms\cygwin64\bin\openssl.exe    Reported version : 1.1.1.4    Fixed version : 1.1.1p   Path : C:\myPrograms\Git\usr\bin\openssl.exe   Reported version : 1.1.1.9   Fixed version : 1.1.1p   Path : C:\myPrograms\Git\mingw64\bin\openssl.exe   Reported version : 1.1.1.9   Fixed version : 1.1.1p </plugin_output> The Rex expression I made works perfectly on the second example I've provided, but not the first. I'm guessing it's due to the </plugin_output> on it. Any advice for how I can tweak it to work for both sorts of data? Attached is a visual aid of the first example, for clarity. Thank you in advance! ... View more

Hello! I've got a search that I'm working on. I've been asked to integrate the results of a lookup table into that search. The major problem is that the lookup file's data, while it shares common fields with the Splunk search, doesn't have the same dataset. The search and the lookup identify two different set of results. Is there a way to simply add all the data in the lookup to the Splunk search so that when I run the search I see both data sets? ... View more

So I've recently got into a new job, where I'm learning Splunk and learning how to support splunk searches and dashboards left behind by someone else.  I'm currently trying to go through a lot of the previous worker's searches, and I'm trying to understand how they all work. Right now I'm looking at a search that is part of a larger dashboard, and whenever I want to run this bit as an individual search, it's giving me the error "Error in 'EvalCommand': The expression is malformed. Expected )." The search itself is: index=vuln_vulnscan sourcetype=tenable:sc:vuln severity.id&gt;=2 OR pluginID="19506" earliest=-12d latest=now() [ search index=inventory_snow ((sourcetype=snow:cmdb_ci_network_adapter AND ("ip_address\"\: \"56." OR "ip_address\"\: \"170.214")) OR (sourcetype=snow:cmdb_ci_computer) OR (sourcetype="snow:cmdb_ci_server")) dv_u_eir="*$eir$*" dv_u_environment="$eir_env$" earliest=-2d latest=now() | fields dv_name | stats latest(*) as * by dv_name | lookup dnslookup clienthost as dv_name OUTPUT clientip as ip | table ip] | fields pluginID dnsName ip port severity.name pluginName synopsis solution firstSeen lastSeen severity.id patchPubDate pluginText | stats latest(*) as * by ip, pluginID, port | eval patchAvailable="No Patch Available/Requires Manual Fix" | eval patchAvailable=if(((patchPubDate&gt;relative_time(now(),"-30d"))),"0d-30d",patchAvailable) | eval patchAvailable=if(((patchPubDate&lt;relative_time(now(),"-30d")) AND (patchPubDate&gt;relative_time(now(),"-60d"))),"30d-60d",patchAvailable) | eval patchAvailable=if(((patchPubDate&lt;relative_time(now(),"-60d")) AND (patchPubDate&gt;relative_time(now(),"-90d"))),"60d-90d",patchAvailable) | eval patchAvailable=if((patchPubDate&lt;relative_time(now(),"-90d") AND (patchPubDate&gt;relative_time(now(),"-180d"))), "90d-180d",patchAvailable) | eval patchAvailable=if((patchPubDate&lt;relative_time(now(),"-180d") AND (patchPubDate&gt;relative_time(now(),"-365d"))), "180d-365d", patchAvailable) | eval patchAvailable=if((patchPubDate&lt;relative_time(now(),"-365d") AND (patchPubDate&gt;0)), "365d+", patchAvailable) I understand most of this search, but I don't understand why Splunk would be giving this error. I've went over it with a finetoothed comb and I couldn't find any missing ")" symbols anywhere. There's no eval in the subsearch, and all the eval commands I see have the proper grammar for the program. Is it something to do with the fact that I copied this out of a larger dashboard? ... View more