I have two types of logs in an index. Both can have multiple entries for a ip address.
What i need to do is find all the host names and users in one set of logs and get the get the cve(s)for each host from the other logs and list them out.
I know i'm most likely going about this the wrong way, this was my latest attempt by trying to combind the cves into one field
index=a sourcetype-=asset vulnerbilities > 0 | dedup ip | eval Vcve = [search sourcetype=vuln ip | stats list(cve) as cve delim="," | nomv cve] | table ip, host, user, Vcve
... View more