I am wanting to add a panel to a dashboard which shows a percentage of total vulnerable hosts to total hosts in the environment.
I already have 2 panels with a query in each the first showing the vulnerable hosts for a specific CVE($field1$) the second showing the total count in environment. They look like:
index = vulnerabilities $field1$| dedup host-fqdn| stats count(host-fqdn) AS Vulns
index = vulnerabilities | dedup host-fqdn| stats count(host-fqdn) AS total_hosts
My problem is i don't know how to call or use the Vulns or total_hosts count data in a thrid panel. I'm trying to use this:
index = vulnerabilities $field1$ |stats count(eval(eventtype="host-fqdn")) AS total, count(eval(eventtype="Vulns")) AS Vulns | eval percentage=((total/Vulns)*100) | table percent_difference.
Thank you for your help!
diggin
Each panel is independent - you can't reference the results in another panel. Try this:
Panel 1:
index = vulnerabilities $field1$| stats distinct_count(host-fqdn) AS Vulns
Panel 2
index = vulnerabilities | stats distinct_count(host-fqdn) AS total_hosts
Panel 3
index=vulnerabilities
| eval matchedField=if(match(_raw,"$field1$"),"Matched","Unmatched")
| stats distinct_count(host-fqdn) as count by matchedField
| eventstats sum(count) as total
| where matchedField="Matched"
| eval percentage=round(count/total*100,0)
lguinn,
Thank you for your swift response. I tried to copy it in verbadium, but it didn't work for me. I'll try to tweak it though. Do you know it this "passing" can be accomplished by using sideview utilities?
Thanks again,
Diggin
Could you by chance explain these phrases to me. What is _raw? why did you use matched and unmatched? I'll of course look into these myself, but if you would explain it I'll and the others following this will appreciate it. 🙂
_raw
is the field name for the entire event. I set up a variable named matchedField
so that if the value of $field1$
was found in the event, matchedField
would be set to "Matched". This lets me count the number of hosts that are matched vs. unmatched in the stats
command.
I suggest that you run the search command, then add in each command one-by-one. Hopefully you will be able to see what each step does. You can also use the Search Job Inspector to help understand how the search actually worked.
I don't see any typos in my answer, but I don't know what the value of $field1$
might be, and that could affect the results.
Thanks for your reply,
I appreciate the explination.
$Field1$ is a ist of cves that are selected from a Multiple dropdown the list would be like cve=CVE-2014-xxx-xxx OR cve=CVE-2014-xxx-xxx OR ....
Ill try both things that you said to try.
thanks again,
Diggin