i think i didn't describe my question properly because i don't really have a ood grasp of Splunk Jargons but here are more details...
this is search # 1
index ="12345" sourcetype = "system_database"
| fields deviceId, deviceName, ipAddress, swType, productFamily, swVersion, timeStamp
| join deviceName [ | inputlookup manual_db.csv ]
| join productFamily [ | inputlookup manual_software_db.csv ]
| join productFamily [ | inputlookup manual_vulnerability_list.csv ]
| table deviceName, productFamily, ipAddress, Advisory_ID, Tower, swVersion, reco_swVersion, swVersion_Fixed
| dedup ipAddress, deviceName
| sort productFamily
| where swVersion_Fixed > swVersion
this produces a table with 8 columns and 20 lines.
this is search #2
index ="12345" sourcetype = "system_database"
| fields deviceId, deviceName, ipAddress, swType, productFamily, swVersion, timeStamp
| join deviceName [ | inputlookup manual_db.csv ]
| join productFamily [ | inputlookup manual_software_db.csv ]
| search swType = "105"
| join deviceId [ search index="6789" sourcetype=output_command_here| spath status | search status=Enabled ]
| table deviceName, productFamily, ipAddress, Tower, swVersion, reco_swVersion, swType
| dedup ipAddress, deviceName
this produces a table with 8 columns and 32 lines.
the column size and headers are identical on both searches. i'm trying to combine the results into 1 output. I tried multisearch but that won't work due to the use of 'join' . please help!
↧