Hi All, Currently we are facing issue in updating the qualysscanlookup.csv file, after executing the splunk query?
**Our exact requirement is that the splunk should find the IPS that are not scanned for last 30 days (four different regions) and it should add it in a file which python script will initiate the qualys scan against those IP'S**
Splunk query details :
earliest=-60m source="*dhcpd.log" Host=H* DHCPACK lease-duration OR RENEW | localop | lookup qualys_asset_hostlist.csv NETBIOS AS Host OUTPUT LAST_VALUE_SCAN_DATETIME | eval LAST_VALUE_SCAN_DATETIME =if(isnull(LAST_VALUE_SCAN_DATETIME ),"2000-01-01t00:00:00z", LAST_VALUE_SCAN_DATETIME ) | mvexpand LAST_VALUE_SCAN_DATETIME | eval LAST_VALUE_SCAN_DATETIME =strptime(LAST_VALUE_SCAN_DATETIME,"%Y-%m-%dT%H:%M:%SZ")|dedup Host | head 10 | stats last(LAST_VALUE_SCAN_DATETIME ) as LAST_VALUE_SCAN_DATETIME by Host IP | table Host IP LAST_VALUE_SCAN_DATETIME | where LAST_VALUE_SCAN_DATETIME | table Host IP LAST_VALUE_SCAN_DATETIME | stats delim="+" Values(IP) AS scanning | mvcombine scanning | eval scanners="QUALYS" | eval title="Test+Assetscanning+CH" | localop | lookup qualysscanlookup title scanners scanning OUTPUT results
We are getting the IPs for all four regions after executing the above query but we are getting same ip values for all four region. And these IP's should be added into the qualysscanlookup file and then python script will initiate scan against these IP's. But currently I am not sure how to fix this issue, so kindly guide me in trouble shooting this issue.
thanks in advance
↧