https://community.splunk.com/t5/Splunk-Search/using-eval-results-of-a-search-with-my-base-search/m-p/509590#M142431 <P>Hi</P><P>maybe this is what you are looking for:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/definecalcfields" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/definecalcfields</A></P><P>r. Ismo</P> Thu, 16 Jul 2020 20:07:47 GMT isoutamo 2020-07-16T20:07:47Z https://community.splunk.com/t5/Splunk-Search/using-eval-results-of-a-search-with-my-base-search/m-p/509563#M142424 <P>I'm currently trying to use the results of my eval fields in my base search&nbsp;</P><P>For example, I would like for my search to be</P><P>index=rapid7 sourcetype=rapid7:nexpose:vuln vuln_age &gt; 30 ratings=high</P><P>is there a way that I can do this?</P><P>Here's the current&nbsp; code:</P><P>index=rapid7 sourcetype=rapid7:nexpose:vuln<BR />| eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d")<BR />| eval t_date=now()<BR />| eval vuln_age= round((t_date - p_date)/86400)<BR />| eval ratings=case(vulnerability_cvss3_score&gt;0 AND vulnerability_cvss3_score&lt;=3.9, "Low",vulnerability_cvss3_score&gt;3.9 AND vulnerability_cvss3_score&lt;=6.9, "Medium", vulnerability_cvss3_score&gt;6.9 AND vulnerability_cvss3_score&lt;=8.9, "High", vulnerability_cvss3_score &gt; 8.9, "Critical")</P><P>&nbsp;</P> Thu, 16 Jul 2020 18:20:53 GMT https://community.splunk.com/t5/Splunk-Search/using-eval-results-of-a-search-with-my-base-search/m-p/509563#M142424 payton_tayvion 2020-07-16T18:20:53Z https://community.splunk.com/t5/Splunk-Search/using-eval-results-of-a-search-with-my-base-search/m-p/509590#M142431 <P>Hi</P><P>maybe this is what you are looking for:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/definecalcfields" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/definecalcfields</A></P><P>r. Ismo</P> Thu, 16 Jul 2020 20:07:47 GMT https://community.splunk.com/t5/Splunk-Search/using-eval-results-of-a-search-with-my-base-search/m-p/509590#M142431 isoutamo 2020-07-16T20:07:47Z https://community.splunk.com/t5/Splunk-Search/using-eval-results-of-a-search-with-my-base-search/m-p/509596#M142435 <P>It's not possible to use a field before it exists.&nbsp; You can reformat the query like this:</P><LI-CODE lang="markup">index=rapid7 sourcetype=rapid7:nexpose:vuln (vulnerability_cvss3_score&gt;6.9 AND vulnerability_cvss3_score&lt;=8.9) | eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d") | eval t_date=now() | eval vuln_age= round((t_date - p_date)/86400) | eval ratings=case(vulnerability_cvss3_score&gt;0 AND vulnerability_cvss3_score&lt;=3.9, "Low",vulnerability_cvss3_score&gt;3.9 AND vulnerability_cvss3_score&lt;=6.9, "Medium", vulnerability_cvss3_score&gt;6.9 AND vulnerability_cvss3_score&lt;=8.9, "High", vulnerability_cvss3_score &gt; 8.9, "Critical")</LI-CODE><P>or use a macro like this:</P><LI-CODE lang="markup">index=rapid7 sourcetype=rapid7:nexpose:vuln `high_cvss` | eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d") | eval t_date=now() | eval vuln_age= round((t_date - p_date)/86400) | eval ratings=case(vulnerability_cvss3_score&gt;0 AND vulnerability_cvss3_score&lt;=3.9, "Low",vulnerability_cvss3_score&gt;3.9 AND vulnerability_cvss3_score&lt;=6.9, "Medium", `high_cvss`, "High", vulnerability_cvss3_score &gt; 8.9, "Critical")</LI-CODE><P>where the macro <FONT face="courier new,courier">high_cvss</FONT> is defined as "<FONT face="courier new,courier">(vulnerability_cvss3_score&gt;6.9 AND vulnerability_cvss3_score&lt;=8.9)</FONT>".</P> Thu, 16 Jul 2020 20:26:20 GMT https://community.splunk.com/t5/Splunk-Search/using-eval-results-of-a-search-with-my-base-search/m-p/509596#M142435 richgalloway 2020-07-16T20:26:20Z https://community.splunk.com/t5/Splunk-Search/using-eval-results-of-a-search-with-my-base-search/m-p/509826#M142513 <P>Thanks everyone I was able to find a solution. The search command did exactly what I was looking for. Thanks for the replies everyone&nbsp;</P> Sat, 18 Jul 2020 07:26:14 GMT https://community.splunk.com/t5/Splunk-Search/using-eval-results-of-a-search-with-my-base-search/m-p/509826#M142513 payton_tayvion 2020-07-18T07:26:14Z