Thanks Rich for the quick reply.
But I'm looking for -- something like this
My Query
sourcetype="B" severity=critical (site_id=5 OR site_id=6 OR site_id=1 OR site_id=3 OR site_id=33 OR site_id=45 OR site_id=49 OR site_id=44)
| eval zone=case(site_id==5,"W - DMZ",site_id==6,"P- DMZ",site_id==1,"P- Internal",site_id==3,"W - Internal")
| eval Days=floor((now()-strptime(first_discovered,"%Y-%m-%d %H:%M:%S.%3Q"))/(3600*24))
| table asset_id vulnerability_name site_id zone severity first_discovered Days
Output
asset_id, vulnerability_name, site_id, zone, severity, first_discovered, Days
1, Elevation of Privilege, 1, P-Internal, critical, 04:34.0, 0
2, Remote Code Execution, 5, W- DMZ, critical, 04:34.0, 0
3, Shell Remote Code Execution Vulnerability, 6, P-DMZ, critical, 56:06.1, 15
4, Obsolete Version of Microsoft Internet Explorer, 3, W-Internal, critical, 05:01.8, 355
Along with asset_id, I need to have asset_name in the output.
Please let me know how can I tweak my query to get the desired output.
Thanks
... View more