I think I didn't describe my question properly because I don't really have a good grasp of Splunk Jargons but here are more details.
this is search # 1:
index ="12345" sourcetype = "system_database"
| fields deviceId, deviceName, ipAddress, swType, productFamily, swVersion, timeStamp
| join deviceName [ | inputlookup manual_db.csv ]
| join productFamily [ | inputlookup manual_software_db.csv ]
| join productFamily [ | inputlookup manual_vulnerability_list.csv ]
| table deviceName, productFamily, ipAddress, Advisory_ID, Tower, swVersion, reco_swVersion, swVersion_Fixed
| dedup ipAddress, deviceName
| sort productFamily
| where swVersion_Fixed > swVersion
This produces a table with 8 columns and 20 lines.
This is search #2:
index ="12345" sourcetype = "system_database"
| fields deviceId, deviceName, ipAddress, swType, productFamily, swVersion, timeStamp
| join deviceName [ | inputlookup manual_db.csv ]
| join productFamily [ | inputlookup manual_software_db.csv ]
| search swType = "105"
| join deviceId [ search index="6789" sourcetype=output_command_here| spath status | search status=Enabled ]
| table deviceName, productFamily, ipAddress, Tower, swVersion, reco_swVersion, swType
| dedup ipAddress, deviceName
This produces a table with 8 columns and 32 lines.
The column size and headers are identical on both searches. I am trying to combine the results into 1 output. I tried multisearch but that won't work due to the use of 'join'. Please help!
↧