Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search for critical nessus findings and correlate remediation

jesperp
Engager
‎11-21-2016 01:33 AM

I have my nessus data in splunk, and in my example below I would like to search for all critical findings, and for each of those I would like to correlate the finding with the plugin data and present the details and remediation. The search does not work, and I would like some help if I'm doing this correctly (I'm a complete newbie with the foreach-command).

sourcetype=nessus:scan plugin_id=* severity=critical "host-ip"=* | foreach "host-ip" [search (sourcetype=nessus:scan plugin_id=* severity=critical "host-ip"=<<FIELD>>) OR (sourcetype=nessus:plugin id=*)] | eval match_id=coalesce(id,plugin_id) | stats values(*) AS * by match_id | search plugin_id=* id=* | table host-ip,host_end,match_id,solution,description
0 Karma
Reply

sundareshr
Legend
‎11-21-2016 06:16 AM

Try this

(sourcetype=nessus:scan plugin_id=* severity=critical "host-ip"=*) OR (sourcetype=nessus:plugin id=*) | fields host-ip, host_end,  solution, description <<including all relevant fields>> | stats values(*) as * by plugin_id
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...