Hello,   I am trying to create a drill down dashboard. Basically I want to pass a subnet value (which is currently represented as a string) from one pane to another search pane and search on data in that query using the subnet value. I have tried several methods and none seem to work.   Ideally I thought something like the below would work in pseudo code.   Search ... | eval subnet_value=$subnet value from first query$ | where ipv4=subnet_value   However, I get back no results. Perhaps someone has some tips on some things I can try next as I am stuck currently.   Thanks in advance, Joe ... View more

Hello,   I have been banging my head on a problem. What I am trying to do is run a first query to get a list of assets, then with that list I want to update my kv store. I can do what I want in two separate searches but when I combine them it does not work. I have tried using append, join, and just stringing them together but nothing works yet. My latest attempt was with join.   sourcetype="asset-info" | eval nowfield=now() | eval diff = ( nowfield-1814400) | convert timeformat="%Y-%m-%dT%H:%M:%S.%9NZ" mktime(last_found) as new_epoch | eval last_scanned=substr(new_epoch,1,10) | where last_scanned < diff | eval vuln_last_found=substr(last_found,1,10) | eval target_id = dns_name | join type=inner max=0 target_id [ | inputlookup kvstore_db | where fqdn=target_id AND state!="closed" | eval key=_key | eval state="oct7" | outputlookup kvstore_db append=True ]   The first half is the first search that gets the list of assets (target_id), then I filter on that with the kvstore lookup (kvstore_db) , fallowed by the outputlookup to actually update the (state) field with the value "oct7". This basically works as is if I run the two searches independently, but when I put them together (which is what I need) is does work. I am hoping someone can help.   Thanks, Joe  ... View more

Hello,   I am having problems approaching this problem. Say we have a KV store that stores asset information from a few different sources. The kv store has about 20 uniq fields. One of the fields within that kv store is state. Basically, the state is either (new) or (update) referencing how it was placed within the kv store. I would like to add another potential value called (stale) if it was last updated over 90 days ago.   At the same time I now have some logic that goes through the source indexes and pulls out events that are older than 90 days. Right now that list is about 1,000. With that list I want to basically say "Any event that is older than 90 days, take that hostname and match any hostname entry within the KV store that is identical, and update the state field entry with the value of (state)". Obviously, I would like to do that with the entire list of 1,000. I am hoping someone might have some psuedo code or best practice tips as I am having problems getting started with it.   Thanks, Joe ... View more

Hello,   I am having problems trying to find duplicate entries within my splunk kvstore. Basically, what I want to do is find duplicates based on a few fields such as FQDN, CVE, and PORT. Then, once I found duplicates I just want to output them in a table if their SOURCE field is different. The query I have so far is: | inputlookup vul_kvstore | stats count by fqdn, port, cve | where count>1 | table fqdn, port, cve, source The problem I have now is in my table I do not have access to the source field as it looks like the stats count line basically pulls out only the fqdn, port, and cve data. How do I get access to the source field data? Maybe I just have to revise my original query so I do not loose data to that field but so far nothing I try works. Hopefully someone can provide me some advise to push me through this problem.   Thanks, Joe ... View more

Hello,   I have json data and I am trying to search a specific field using a dynamic variable. I can properly search if I have an exact static field but not dynamic field. As an example, the below works:     source="main.py"| spath "cve.CVE_data_meta.ID" | search "cve.CVE_data_meta.ID"="CVE-2018-XXXX" | table cve.description.description_data{}.value     However, I am trying to feed a dynamic variable (test) from a different search to extract the correct value such as the below (shortened to make it easier to read):   source="main.py"| eval test="CVE-2018-XXXX" | spath "cve.CVE_data_meta.ID" | search "cve.CVE_data_meta.ID"=test | table cve.description.description_data{}.value     In the above case as an example I just hard coded the test variable but that value will come from a different search. Anyhow, the above does not work. I tried many variations and nothing really seems to work. I think the problem is due to the fact splunk thinks I am working with multiple value data and I cannot properly search off that. Anyhow, I think there has to be an easy solution that I cannot seem to get on my own. Hopefully someone can push me to the finish line with this.   Thanks, Marty ... View more