Splunk Search

Why is my search not returning any results?

rkaakaty
Path Finder

Can anyone tell me why I am not returning any results?

index=nessus cve=*
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) by ID 
| rename id as ID, cve as CVE, plugin_name as Plugin_Name, count(host-ip) as HOSTS
| table ID, Plugin_Name, CVSS_SCORE, HOSTS
| sort - CVSS_SCORE

Thank you.

0 Karma
1 Solution

cmerriman
Super Champion

you need to include CVSS_SCORE in your stats command, you are not allowed to table it without bringing it forward. you can also rename your count(host-ip) in your stats command.

index=nessus cve=*
 | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score| rename id as ID, cve as CVE 
 | stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) as HOSTS sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID 
 | table ID, Plugin_Name, CVSS_SCORE, HOSTS
 | sort - CVSS_SCORE

View solution in original post

Grumpalot
Communicator

I think I see what the problem is; you have two searches that need to take place to match on ID from Plugin and plugin_ID from the scans. Give this search a try, it may take a bit longer. I'm going to use some of @cmerriman 's written code hope you don't mind.

index=nessus cve=*  
| eval ID=coalesce(id,plugin_id) 
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| rename cve as CVE
| stats sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| appendcols [search index=nessus 
| rename host-ip as hostip 
| stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id] 
| table ID, Plugin_Name, CVSS_SCORE, HOSTS 
| sort - CVSS_SCORE
0 Karma

Grumpalot
Communicator

Give this a try made a change to by ID since it seems to be id then you rename to ID

 index=nessus cve=*
 | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
 | stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) by id 
 | rename id as ID, cve as CVE, plugin_name as Plugin_Name, count(host-ip) as HOSTS
 | table ID, Plugin_Name, CVSS_SCORE, HOSTS
 | sort - CVSS_SCORE

cmerriman
Super Champion

you need to include CVSS_SCORE in your stats command, you are not allowed to table it without bringing it forward. you can also rename your count(host-ip) in your stats command.

index=nessus cve=*
 | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score| rename id as ID, cve as CVE 
 | stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) as HOSTS sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID 
 | table ID, Plugin_Name, CVSS_SCORE, HOSTS
 | sort - CVSS_SCORE

rkaakaty
Path Finder

Thank you,

Now i've run into a problem of only getting 0's as my HOSTS

0 Karma

cmerriman
Super Champion

try this removing the two list commands or renaming the list(host-ip) as host-ip to list(host-ip) as host-ips to see if that works. you're counting host-ip after putting it into a list and naming it that field name.

0 Karma

rkaakaty
Path Finder

Still the same result 😕

0 Karma

cmerriman
Super Champion

one other thing to try:

 index=nessus cve=*
  | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score| rename id as ID, cve as CVE "host-ip" as hostip
  | stats list(hostip) as hostips, list(IP) as IP count(hostip) as HOSTS sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID 
  | table ID, Plugin_Name, CVSS_SCORE, HOSTS
  | sort - CVSS_SCORE
0 Karma

rkaakaty
Path Finder

Unfortunately I am still getting 0 values for HOSTS

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...