Splunk Search

Two fields are not populating, not sure why

rkaakaty
Path Finder

Hello,

For some reason my SEVERITY, and CATEGORY field aren't showing any value..

Can anyone see why?

 index=nessus cve=*  
| eval ID=coalesce(id,plugin_id) 
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| rename cve as CVE, family_name as CATEGORY, risk_factor as SEVERITY
| stats sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| appendcols 
    [ search index=nessus 
    | rename host-ip as hostip 
    | stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id
    ] 
| rename Plugin_Name as TITLE
| eval Systemic_Score = CVSS_SCORE*HOSTS
| table ID, SEVERITY, TITLE, CATEGORY, CVSS_SCORE, HOSTS, plugin_id, Systemic_Score
| sort - Systemic_Score
Tags (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

updated to mark as code.

appendcols in that location does't seem like it's going to work right.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi rkaakaty,
after a stats command you have only fields of stats so after your first stats you have CVSS_SCORE, Plugin_Name and ID, after you add (with append command) hostips, IP, and plugin_id.
SEVERITY and CATEGORY aren't in stats commands, add values(SEVERITY) AS SEVERITY values(CATEGORY) AS CATEGORY to the first stats command.
Bye.
Giuseppe

0 Karma

rkaakaty
Path Finder

Can you show me how you added it to my code?

0 Karma

gcusello
SplunkTrust
SplunkTrust

In the first stats between stats and sum
Bye.
Giuseppe

0 Karma

rkaakaty
Path Finder

I don't understand

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi rkaakaty,
try

 index=nessus cve=*  
 | eval ID=coalesce(id,plugin_id) 
 | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
 | rename cve as CVE, family_name as CATEGORY, risk_factor as SEVERITY
 | stats values(SEVERITY) AS SEVERITY values(CATEGORY) AS CATEGORY sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
 | appendcols 
     [ search index=nessus 
     | rename host-ip as hostip 
     | stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id
     ] 
 | rename Plugin_Name as TITLE
 | eval Systemic_Score = CVSS_SCORE*HOSTS
 | table ID, SEVERITY, TITLE, CATEGORY, CVSS_SCORE, HOSTS, plugin_id, Systemic_Score
 | sort - Systemic_Score

Bye.
Giuseppe

0 Karma

rkaakaty
Path Finder

See now that fixed my category and severity field, but now my HOSTS, Systemic_Score, and plugin_id aren't populating

0 Karma

gcusello
SplunkTrust
SplunkTrust

if these fields are in the nessus index probably there is the same problem, try:

index=nessus cve=*  
| eval ID=coalesce(id,plugin_id) 
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| rename cve as CVE, family_name as CATEGORY, risk_factor as SEVERITY
| stats values(SEVERITY) AS SEVERITY values(CATEGORY) AS CATEGORY 
values(HOSTS) AS HOSTS values(Systemic_Score) AS Systemic_Score values(plugin_id) AS plugin_id sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| appendcols 
      [ search index=nessus 
      | rename host-ip as hostip 
      | stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id
      ] 
| rename Plugin_Name as TITLE
| eval Systemic_Score = CVSS_SCORE*HOSTS
| table ID, SEVERITY, TITLE, CATEGORY, CVSS_SCORE, HOSTS, plugin_id, Systemic_Score
| sort - Systemic_Score

Bye.
Giuseppe

0 Karma

rkaakaty
Path Finder

I still have the same problem... i'm not sure why

0 Karma

gcusello
SplunkTrust
SplunkTrust

if you run your search until the first rename (before first stats), do you have all the wanted fields?

What is the meaning of appendcols?
remeber that (from https://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Appendcols ) "The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on."

What information do you want to add to the first stats results?

Bye.
Giuseppe

0 Karma

sbbadri
Motivator

Does not family_name and risk_factor fields got extracted from events. Are you seeing those two fields in interesting fields section. Also executed below query and it should output some values,

index=nessus cve=* | table family_name risk_factor

if not producing any results. Then extract those two fields.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...