Solved: I need to write a query to find the sum of same f...

nivethainspire_ · ‎08-31-2016

I have tried the below query,it works fine,but its complicated, Can anyone suggest a better way to write the same query,

index="vmt_sample" "Asset Type"=Desktop OR "Thin Client" OR Computer|fillnull value=blank "MS Bulletin" "Flags"|search OS="Windows" |stats sum(CVSS) as CVSS by "Asset Type"|join [search index="vmt_sample" "Asset Type"=Desktop OR "Thin Client" OR Computer |fillnull value=blank "MS Bulletin" "Flags"| search OS="Windows" "MS Bulletin"!=blank "Flags"=blank |stats sum(CVSS_E) as "OS Score" by "Asset Type"]|table "Asset Type",CVSS,"OS Score"

sundareshr · ‎09-01-2016

Try this

index="vmt_sample" "Asset Type"=Desktop OR "Thin Client" OR Computer OS=Windows
| stats sum(CVSS) as CVSS sum(eval(if(isnotnull("MS Bulletin") AND isnull("Flags"), CVSS_E, 0)))  as "OS Score" by "Asset Type"
| table "Asset Type",CVSS,"OS Score"

View solution in original post

sundareshr · ‎09-01-2016

Try this

index="vmt_sample" "Asset Type"=Desktop OR "Thin Client" OR Computer OS=Windows
| stats sum(CVSS) as CVSS sum(eval(if(isnotnull("MS Bulletin") AND isnull("Flags"), CVSS_E, 0)))  as "OS Score" by "Asset Type"
| table "Asset Type",CVSS,"OS Score"

I need to write a query to find the sum of same field in same index but with different condition.

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...