Solved: How to filler a Field base on other two field?

Rithekakan · ‎07-08-2022

host="SPL-SH-DC" sourcetype="ABCSW"......| search "Plugin Name" != "TLS Version 1.1 Protocol Deprecated" AND Port != "8443" AND Port != "8444"
| table "IP Address",Host_Name,"Plugin Name",Severity,Protocol,Port,Exploit,System_Type,Synopsis,Description,Solution,"See Also","CVSS V2 Base Score",CVE,Plugin,status,Pending_since,source

Hi Splunker, Could you please help..

I have a query as I have put above . However, I want a result query with filter Field " Plugin Name " not equal "TLS Version 1.1 Protocol Deprecated" but base on Field "Port" equal "8443" and " 8444".

I will be appreciate for your help.

gcusello · ‎07-08-2022

Hi @Rithekakan,

sorry but I don't understand the problem, let me understand: you want to use as filter all the following conditions:

"Plugin Name"!="TLS Version 1.1 Protocol Deprecated" (Port="8443" OR Port="8444")

Is this correct?

If this is your need, you have only to a little update to your search:

host="SPL-SH-DC" sourcetype="ABCSW" "Plugin Name"!="TLS Version 1.1 Protocol Deprecated" (Port="8443" OR Port="8444")
| table "IP Address" Host_Name "Plugin Name" Severity Protocol Port Exploit System_Type Synopsis Description Solution "See Also" "CVSS V2 Base Score" CVE Plugin status Pending_since source

Then, you don't need to use the search command: in this way you have a slower search because before you take all the events and then you filter them, it isn't efficient, it's better to put all the filters as left as possible in your search!

Then, if possible, avoid to use spaces in field names.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎07-08-2022

Hi @Rithekakan,

sorry but I don't understand the problem, let me understand: you want to use as filter all the following conditions:

"Plugin Name"!="TLS Version 1.1 Protocol Deprecated" (Port="8443" OR Port="8444")

Is this correct?

If this is your need, you have only to a little update to your search:

host="SPL-SH-DC" sourcetype="ABCSW" "Plugin Name"!="TLS Version 1.1 Protocol Deprecated" (Port="8443" OR Port="8444")
| table "IP Address" Host_Name "Plugin Name" Severity Protocol Port Exploit System_Type Synopsis Description Solution "See Also" "CVSS V2 Base Score" CVE Plugin status Pending_since source

Then, you don't need to use the search command: in this way you have a slower search because before you take all the events and then you filter them, it isn't efficient, it's better to put all the filters as left as possible in your search!

Then, if possible, avoid to use spaces in field names.

Ciao.

Giuseppe

Rithekakan · ‎07-08-2022

Hi gcusello,

I have this report, and I want to filter out Plugin Name = TLS Version 1.1 Protocol Deprecated with Port = 8443 and 8444.

Thanks for your help,

Rithekakan

gcusello · ‎07-08-2022

Hi @Rithekakan ,

what's the condition:

Port=8443 OR port 8444
Port=8443 AND port 8444

It's different, anyway, you can use my search modifying the conditions.

Ciao.

Giuseppe

Rithekakan · ‎07-08-2022

Hi @gcusello
yes

Port=8443 OR port 8444

Yes I 've been using your search, but I don't know why it also filter out other value of the Filed " Plugin Name"

I am still get stuck and keep modifying the conditions.

Thanks for your help @gcusello
Regards,

gcusello · ‎07-08-2022

Hi @Rithekakan,

a stupid question: did you used parenthesys?

Ciao.

Giuseppe

Rithekakan · ‎07-08-2022

@gcusello

Yes exactly, I use it.
This is my full search..
host="SPL-SH-DC" sourcetype="ABCSW"
NOT Severity IN (Info,Low)
NOT Port IN (6502,8089,8001)
NOT "Plugin Name" IN ("SSL Certificate with Wrong Hostname","SSL Self-Signed Certificate","SSL Certificate Cannot Be Trusted")
| lookup ABCDEFGServerInventory.csv IP_Address as "IP Address" output Host_Name, System_Type
| eval days_since = floor((now() - _time) / 86400)
| eval Pending_since = case(days_since == 0, "Today", days_since < 30, "Pending (< 30 days)", days_since > 45, "Pending ( > 45 days)", days_since > 30, "Pending ( 30>Days<45 )", days_since < 45, "Pending ( 30>Days<45 )", days_since > 1, days_since . " Days")
| stats values(*) as * by "IP Address",Plugin,"Plugin Name",Severity,Protocol,Port,Exploit
| eval status = case(mvcount(source)>1,"Pending", source=="ABCDEFGSW26062022.csv","Fixed", true(), "New Vulnerable")
| search "IP Address" IN ("1........,...................................")
"Plugin Name" != "OpenSSH S/KEY Authentication Account Enumeration"
"Plugin Name" != "OPIE w/ OpenSSH Account Enumeration"
"Plugin Name" != "OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing"
"Plugin Name" != "OpenSSH PCI Disputed Vulnerabilities."
"Plugin Name" != "TLS Version 1.1 Protocol Deprecated" (Port ="8443" OR Port="8444")
| table "IP Address",Host_Name,"Plugin Name",Severity,Protocol,Port,Exploit,System_Type,Synopsis,Description,Solution,"See Also","CVSS V2 Base Score",CVE,Plugin,status,Pending_since,source

Rithekakan · ‎07-08-2022

@gcusello
sorry,

Port=8443 OR port 8444 is correct.

Rithekakan · ‎07-08-2022

Hi @gcusello
yes

Port=8443 AND port 8444

Yes I 've been using your search, but I don't know why it also filter out other value of the Filed " Plugin Name"

I am still get stuck and keep modifying the conditions.

Thanks for your help @gcusello
Regards,

How to filler a Field base on other two field?

eval

fields

join

stats

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?