Hello,
I am getting a stack of CVE field values, I just wanted to display the number of them (count). Here is my code:
index=nessus cve=*
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| eval description=substr(description,1,100)
| eval solution=substr(solution,1,100)
| rename id as ID, cve as CVE, plugin_name as Plugin_Name, description as Description, solution as Solution
| table ID, Plugin_Name, Description, CVE, Solution, CVSS_SCORE
| sort - CVSS_SCORE
This is what it looks like
| stats count as CVECount
or
| stats dc(CVE) as CVECount
You don't really need much of that if all you want is the count of CVEs...
index=nessus cve=*
| fields cve
| dedup cve
| stats dc(cve) as CVECount
And if cve is an indexed field, then tstats
would probably be more efficient
tstats where index=nessus AND cve=*
| stats dc(cve) as CVECount