Hello,
I have created a datamodel which I have accelerated, containing two sourcetype. The goal is to add a field from one sourcetype into the primary results. The challenge I have been having is returning all the data from the Vulnerability sourcetype, which contains over 400K events. I have attempted several different searchs, none of which are the results i'm expecting. Basically I want to join the two tstats below without using join do to its limitations. The vulnerabilies should include the hostname and operating system.
Any help would be apprectiated
|tstats summariesonly=f
``` latest(tenable.plugin_name) as "Vulnerability", ```
values(tenable.first_found) as "First Found",
values(tenable.last_found) as "Last Found",
values(tenable.risk_factor) as "Risk Factor",
values(tenable.in_the_news) as "In The News?",
values(tenable.vpr_score) as "VPR",
values(tenable.solution) as "Solution",
values(tenable.see_also) as "See Also",
values(tenable.state) as "State"
values(tenable.exploitability_ease) as "Exploitable Ease",
values(tenable.exploit_available) as "Exploit Available"
values(tenable.ip) as IP
``` latest(tenable.asset_hostname) as hostname```
FROM datamodel="VulnMgt.tenable",
WHERE sourcetype="tenable:io:vuln"
by tenable.asset_uuid tenable.asset_hostname tenable.plugin_name
|tstats summariesonly=t prestats=t append=t
values(devices.operating_systems) as OS
FROM datamodel="VulnMgt.tenable",
WHERE sourcetype="tenable:io:assets"
by tenable.asset_uuid tenable.hostnames
| stats latest(*) as * count as total by tenable.asset_uuid
Instead of using the append option of tstats, try append with tstats in the subsearch.
| tstats summariesonly=t <<search1>>
| append [ tstats summariesonly=t <<search2>> ]
| stats latest(*) as * count as total by tenable.asset_uuid
Thank you @richgalloway That was one of the search I attempted and Splunk shows it as having a 50k limit.