Hello, I setup 2 reports to run early this AM.  Looks like both reports ran according to splunk.  The problem I have now is finding the actual .csv files on the splunk server so I can scp them. Thank... ... View more

I ave a couple of scheduled reports that I SCP off of our splunk enterprise.  Both reports are in /opt/splunk/etc/apps/search/lookups.  One of the reports I setup a while ago and it's permissions look right and I can SCP it (file1.csv).  The new report gives me a permission denied when I try to copy it (file2.csv). File 1: -rw-r-----. 1 splunk splunk 306519 Jan 26 05:00 file1.csv -rw-------. 1 splunk splunk 1177070 Jan 26 03:00 file2.csv   Not sure how to get file2.csv group readable so I can copy it off. ... View more

VERY new to splunk.  I have a query that scans a vulnerability report for critical vulnerabilities: index=vulnerability severity=critical | eval first_found=replace (first_found, "T\S+", "") | eval first_found_epoch=strptime(first_found, "%Y-%m-%d") | eval last_found=replace (last_found, "T\S+", "") | eval last_found_epoch=strptime(last_found, "%Y-%m-%d") | eval last_found_65_days=relative_time(last_found_epoch,"-65d@d") | fieldformat last_found_65_days_convert=strftime(last_found_65_days, "%Y-%m-%d") | where first_found_epoch>last_found_65_days | sort -first_found | dedup cve | rename severity AS Severity, first_found AS "First Found", last_found AS "Last Found", asset_fqdn AS Host, ipv4 AS IP, cve AS CVE, output AS Description | streamstats count as "Row #" | table Severity,"First Found","Last Found",Host,IP,CVE,Description,Reason   Which gives me output similar to this: critical 2023-10-11 2023-11-20 host1.example.com 192.168.101.12 CVE-2021-0123 blah blah blah critical 2023-03-25 2023-11-20 host2.example.com 192.168.101.25 CVE-2022-0219 blah blah blah critical 2023-06-23 2023-11-20 host3.example.com 192.168.101.102 CVE-2023-0489 blah blah blah critical 2023-08-05 2023-11-20 host4.example.com 192.168.101.145 CVE-2023-0456 blah blah blah I also have a .csv lookup file where I keep extra information on certain hosts: ScanHost                      ScanIP                   target-CVE            Reason host2.example.com 192.168.101.25 CVE-2022-0219 CVE can not be mitigated What I'm trying to do is to take the Host from the search and if it matches a ScanHost in the CSV then fill in the Reason field from the .csv. ... View more

I am VERY new to splunk so please bear with me.  I have a search, index=vulnerability "list of packages installed on the remote" myserver.com | rex field=output "\n{1,3}\s{2,4}(?<ProgramNameOutput>[^|]+)" max_match=5000 | table ProgramNameOutput Which produces the following fictional output: libhangul-0.1.0-8.el7 intltool-0.50.2-7.el7 libvert-7.6.1-120.el7 at-spi2-core-2.28.0-1.el7 spice-gtk3-0.35-5.el7_9.1 perl-Digest-MD5-2.52-3.el7 mesa-libvert-18.3.4-12.el7_9 hyperv-daemons-license-0-0.34.20180415git.el7 libsysfs-2.1.0-16.el7 openldap-clients-2.4.44-25.el7_9 libvirt-gconfig-1.0.0-1.el7 libpeas-gtk-1.22.0-1.el7 NetworkManager-adsl-1.18.8-2.el7_9 perl-Locale-Maketext-1.23-3.el7   So what I'd like to do is to pair that ProgramNameOutput down to only output that has "libvert" in it.   The output field looks similar to this, it's basically one big text block:   "output:  Here is the list of packages installed on the remote CentOS Linux system :   libhangul-0.1.0-8.el7|(none) Mon 01 Nov 2021 12:06:47 PM EDT intltool-0.50.2-7.el7|(none) Mon 01 Nov 2021 12:10:13 PM EDT gdb-7.6.1-120.el7|(none) Mon 01 Nov 2021 12:06:15 PM EDT at-spi2-core-2.28.0-1.el7|(none) Mon 01 Nov 2021 12:08:53 PM EDT spice-gtk3-0.35-5.el7_9.1|(none) Mon 01 Nov 2021 12:40:05 PM EDT perl-Digest-MD5-2.52-3.el7|(none) Mon 01 Nov 2021 12:05:15 PM EDT mesa-filesystem-18.3.4-12.el7_9|(none) Mon 01 Nov 2021 12:38:01 PM EDT" ... View more