Can anyone tell me why I am not returning any results?
index=nessus cve=*
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) by ID
| rename id as ID, cve as CVE, plugin_name as Plugin_Name, count(host-ip) as HOSTS
| table ID, Plugin_Name, CVSS_SCORE, HOSTS
| sort - CVSS_SCORE
Thank you.
you need to include CVSS_SCORE in your stats command, you are not allowed to table it without bringing it forward. you can also rename your count(host-ip) in your stats command.
index=nessus cve=*
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score| rename id as ID, cve as CVE
| stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) as HOSTS sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| table ID, Plugin_Name, CVSS_SCORE, HOSTS
| sort - CVSS_SCORE
I think I see what the problem is; you have two searches that need to take place to match on ID from Plugin and plugin_ID from the scans. Give this search a try, it may take a bit longer. I'm going to use some of @cmerriman 's written code hope you don't mind.
index=nessus cve=*
| eval ID=coalesce(id,plugin_id)
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| rename cve as CVE
| stats sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| appendcols [search index=nessus
| rename host-ip as hostip
| stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id]
| table ID, Plugin_Name, CVSS_SCORE, HOSTS
| sort - CVSS_SCORE
Give this a try made a change to by ID since it seems to be id then you rename to ID
index=nessus cve=*
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) by id
| rename id as ID, cve as CVE, plugin_name as Plugin_Name, count(host-ip) as HOSTS
| table ID, Plugin_Name, CVSS_SCORE, HOSTS
| sort - CVSS_SCORE
you need to include CVSS_SCORE in your stats command, you are not allowed to table it without bringing it forward. you can also rename your count(host-ip) in your stats command.
index=nessus cve=*
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score| rename id as ID, cve as CVE
| stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) as HOSTS sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| table ID, Plugin_Name, CVSS_SCORE, HOSTS
| sort - CVSS_SCORE
Thank you,
Now i've run into a problem of only getting 0's as my HOSTS
try this removing the two list
commands or renaming the list(host-ip) as host-ip
to list(host-ip) as host-ips
to see if that works. you're counting host-ip after putting it into a list and naming it that field name.
Still the same result 😕
one other thing to try:
index=nessus cve=*
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score| rename id as ID, cve as CVE "host-ip" as hostip
| stats list(hostip) as hostips, list(IP) as IP count(hostip) as HOSTS sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| table ID, Plugin_Name, CVSS_SCORE, HOSTS
| sort - CVSS_SCORE
Unfortunately I am still getting 0 values for HOSTS