Hello,
For some reason my SEVERITY, and CATEGORY field aren't showing any value..
Can anyone see why?
index=nessus cve=*
| eval ID=coalesce(id,plugin_id)
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| rename cve as CVE, family_name as CATEGORY, risk_factor as SEVERITY
| stats sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| appendcols
[ search index=nessus
| rename host-ip as hostip
| stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id
]
| rename Plugin_Name as TITLE
| eval Systemic_Score = CVSS_SCORE*HOSTS
| table ID, SEVERITY, TITLE, CATEGORY, CVSS_SCORE, HOSTS, plugin_id, Systemic_Score
| sort - Systemic_Score
updated to mark as code.
appendcols
in that location does't seem like it's going to work right.
Hi rkaakaty,
after a stats command you have only fields of stats so after your first stats you have CVSS_SCORE, Plugin_Name and ID, after you add (with append command) hostips, IP, and plugin_id.
SEVERITY and CATEGORY aren't in stats commands, add values(SEVERITY) AS SEVERITY values(CATEGORY) AS CATEGORY
to the first stats command.
Bye.
Giuseppe
Can you show me how you added it to my code?
In the first stats between stats and sum
Bye.
Giuseppe
I don't understand
Hi rkaakaty,
try
index=nessus cve=*
| eval ID=coalesce(id,plugin_id)
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| rename cve as CVE, family_name as CATEGORY, risk_factor as SEVERITY
| stats values(SEVERITY) AS SEVERITY values(CATEGORY) AS CATEGORY sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| appendcols
[ search index=nessus
| rename host-ip as hostip
| stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id
]
| rename Plugin_Name as TITLE
| eval Systemic_Score = CVSS_SCORE*HOSTS
| table ID, SEVERITY, TITLE, CATEGORY, CVSS_SCORE, HOSTS, plugin_id, Systemic_Score
| sort - Systemic_Score
Bye.
Giuseppe
See now that fixed my category and severity field, but now my HOSTS, Systemic_Score, and plugin_id aren't populating
if these fields are in the nessus index probably there is the same problem, try:
index=nessus cve=*
| eval ID=coalesce(id,plugin_id)
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| rename cve as CVE, family_name as CATEGORY, risk_factor as SEVERITY
| stats values(SEVERITY) AS SEVERITY values(CATEGORY) AS CATEGORY
values(HOSTS) AS HOSTS values(Systemic_Score) AS Systemic_Score values(plugin_id) AS plugin_id sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| appendcols
[ search index=nessus
| rename host-ip as hostip
| stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id
]
| rename Plugin_Name as TITLE
| eval Systemic_Score = CVSS_SCORE*HOSTS
| table ID, SEVERITY, TITLE, CATEGORY, CVSS_SCORE, HOSTS, plugin_id, Systemic_Score
| sort - Systemic_Score
Bye.
Giuseppe
I still have the same problem... i'm not sure why
if you run your search until the first rename (before first stats), do you have all the wanted fields?
What is the meaning of appendcols?
remeber that (from https://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Appendcols ) "The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on."
What information do you want to add to the first stats results?
Bye.
Giuseppe
Does not family_name and risk_factor fields got extracted from events. Are you seeing those two fields in interesting fields section. Also executed below query and it should output some values,
index=nessus cve=* | table family_name risk_factor
if not producing any results. Then extract those two fields.