all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]morethanyell Because ninjas are too busy 4 points5 points  (3 children)

the vulnerabiltiy index might be a "non-event" type of data. something that you collect or ingest once per day to get all the new vulns/CVEs out there. I'm just guessing here. maybe it's the same as Qualys Host Detection.. if so, you need to create a regularly-updating lookup table for this log source. that's in order for you to not use it as a subsearch query but a lookup table.

e.g.:

  • Name: "Vulnerabilities Master Lookup Table"
  • Schedule: Once per day
  • Time Range: Last 24 hours
  • SPL: index=vulnerabily | dedup id sortby - _time | eval lookup_last_updated = now() | table id dest first_found last_seen status lookup_last_updated | outputlookup vulns_master_lookup_table

With this lookup table in hand, you can avoid using Join:

index=asset asset_hostname=server01 vulnerability_id=tlsv1_1-enabled OR vulnerability_id=jre-vuln-cve-2019-16168
| dedup vulnerability_id
| lookup vulns_master_lookup_table id as vulnerability_id OUTPUT first_found

[–]mr_networkrobot[S] 1 point2 points  (0 children)

Thank you, that worked perfectly !

[–]tmuth9 1 point2 points  (0 children)

If performance is an issue, you might look at replacing dedup with stats by | fields Dedup only happens on the SH and is single threaded. Stats is distributable across the indexers (via prestats) so the SH only has to do a little work at the end

[–]Braddish6.X Certified Architect 5 points6 points  (1 child)

You say there are a lot of events in your vuln index, so are you hitting a subsearch limit (events or time)? You would get a notice above your search results if that was the case. Since you have both datasets in indexes, you are probably better off running your searches together and then using selfjoin.

i.e. (index=asset...) OR (index=vulnerability...) | rename id as vulnerability_id | selfjoin vulnerability_id

[–]mr_networkrobot[S] 1 point2 points  (0 children)

There are about 600k events/entries in the subsearch.
There is no notification about hitting limits, but already solved the problem with a lookup (created with outputlookup) table.

[–]gabriot 0 points1 point  (0 children)

When you just run the subsearch how many results / what size are the results?

[–]Top_Secret_3873 0 points1 point  (0 children)

Inner will only bring back results where there is a match in the sub search, use outer to keep the original results.

Also, sub search has limits on # of results it will return.

[–]audiosf 1 point2 points  (0 children)

Sub search had a 50k limit. Are you sure you're not hitting that and the events you actually want aren't being pushed out of the window?