Pretty new to Splunk and looking for advice.
I’ve tried reviewing subsearches, map and foreach looping but I just can’t crack the syntax.
I have two indexes, one that stores computer hostname, ip, and a tag for a contact email.
The other index is scan data regarding missing patches by ip
Index=hostnames
Hostname ip_address Contact
Hostname1 192.x.x.1 Email1
Hostname2 192.x.x.2 Email2
Hostname3 192.x.x.3 Email3
Hostname4 192.x.x.4 Email4
Hostname5 192.x.x.5 Email2
Hostname6 192.x.x.6 Email3
Index=scandata
Ip scanfindingname scanfindingdescription
192.x.x.4 java-blah java-blah
192.x.x.2 java-blah java-blah
192.x.x.2 java-blah2 java-blah2
I have figured out how to get the search with a join ip to ip_address to display a table with a stats count hostname, ip, and contact email to show the hostname and total amount of findings.
Table where Contact=Email2:
Hostname IP Contact Count
Hostname2 192.x.x.2 Email2 2
Hostname5 192.x.x.5 Email2 1
I cannot figure out how to create an automated email for each email address from the hostnames index.
It's essentially 3 queries.
1. Get list of email addresses from contact field in hostname index (dedup contact) [Email1, Email2, Email3]
2. Find Scan data by ip and grab the hostname and total found by hostname where contact = $Email$
3. Email table to $Email$
Any advice is appreciated.
↧