https://community.splunk.com/t5/Splunk-Search/Storing-top-result-as-variable-then-displaying-systems-with-that/m-p/555343#M157640 <P>For some reason my search is not acting as expected. I am trying to produce a list of systems with the specific isolatedCVE I get from the TOP command. But instead of getting stats count of systems with the isolatedCVE i get just the TOP output still as seen below. It seems like the TOP command somehow trumps the second set of commands and i dont understand why.</P><P>output for this command =&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">VulnerabilityCVEIDs count percent isolatedCVE CVE-2021-31959 106 29.12 CVE-2021-31959</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Full search =</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| search index=rapid7 sourcetype="vuln_db" | eval Epoch_Time=strptime(VulnerabilityPublishedDate, "%Y-%m-%d") | eval disctime=strftime(_time, "%Y-%m-%d") | eval Addtime=strftime(Epoch_Time + (30 * 86400), "%Y-%m-%d") | where VulnerabilityTitle LIKE "Microsoft%" AND Addtime &gt; disctime | top VulnerabilityCVEIDs limit=1 | eval isolatedCVE=VulnerabilityCVEIDs | appendcols [| search index=rapid7 sourcetype="vuln_db" VulnerabilityCVEIDs=isolatedCVE | dedup AssetNames | dedup AssetIPAddress | stats count by AssetIPAddress AssetNames User VulnerabilityCVEIDs | fields - count]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;&nbsp;</P> Thu, 10 Jun 2021 16:36:37 GMT jlovik 2021-06-10T16:36:37Z https://community.splunk.com/t5/Splunk-Search/Storing-top-result-as-variable-then-displaying-systems-with-that/m-p/555343#M157640 <P>For some reason my search is not acting as expected. I am trying to produce a list of systems with the specific isolatedCVE I get from the TOP command. But instead of getting stats count of systems with the isolatedCVE i get just the TOP output still as seen below. It seems like the TOP command somehow trumps the second set of commands and i dont understand why.</P><P>output for this command =&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">VulnerabilityCVEIDs count percent isolatedCVE CVE-2021-31959 106 29.12 CVE-2021-31959</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Full search =</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| search index=rapid7 sourcetype="vuln_db" | eval Epoch_Time=strptime(VulnerabilityPublishedDate, "%Y-%m-%d") | eval disctime=strftime(_time, "%Y-%m-%d") | eval Addtime=strftime(Epoch_Time + (30 * 86400), "%Y-%m-%d") | where VulnerabilityTitle LIKE "Microsoft%" AND Addtime &gt; disctime | top VulnerabilityCVEIDs limit=1 | eval isolatedCVE=VulnerabilityCVEIDs | appendcols [| search index=rapid7 sourcetype="vuln_db" VulnerabilityCVEIDs=isolatedCVE | dedup AssetNames | dedup AssetIPAddress | stats count by AssetIPAddress AssetNames User VulnerabilityCVEIDs | fields - count]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;&nbsp;</P> Thu, 10 Jun 2021 16:36:37 GMT https://community.splunk.com/t5/Splunk-Search/Storing-top-result-as-variable-then-displaying-systems-with-that/m-p/555343#M157640 jlovik 2021-06-10T16:36:37Z https://community.splunk.com/t5/Splunk-Search/Storing-top-result-as-variable-then-displaying-systems-with-that/m-p/555369#M157645 <P>You didn't get&nbsp;<SPAN>stats count of systems with the isolatedCVE because you have that in a subsearch for appendcols. appendcols will just add the output as a columns to existing main results). So if your appendcols worked correctly, it will just add "AssetIPAddress, AssetNames ,User,VulnerabilityCVEIDs" colunms to your search results.&nbsp;<BR /><BR />But that appendcols won't do anything unless you have any events where&nbsp;VulnerabilityCVEIDs has literal value&nbsp; 'isolatedCVE".&nbsp;</SPAN></P><P><BR />Note1 :&nbsp;isolatedCVE field you created using eval doesn't exist in the subsearch you used for appendcols command.<BR />Note 2:&nbsp; field1=field2 can be used only with where command&nbsp;<BR /><A href="https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandUsage#Comparing_two_fields" target="_blank">https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandUsage#Comparing_two_fields</A>&nbsp;</P> Thu, 10 Jun 2021 19:08:31 GMT https://community.splunk.com/t5/Splunk-Search/Storing-top-result-as-variable-then-displaying-systems-with-that/m-p/555369#M157645 rupkumar4sec 2021-06-10T19:08:31Z https://community.splunk.com/t5/Splunk-Search/Storing-top-result-as-variable-then-displaying-systems-with-that/m-p/555370#M157646 <P>To get the result you want, you have to use "join" command, where you can use&nbsp;<SPAN>VulnerabilityCVEIDs&nbsp; and common field and get the other fields you need from the main search.<BR /><BR /><BR /><BR /></SPAN></P> Thu, 10 Jun 2021 19:15:22 GMT https://community.splunk.com/t5/Splunk-Search/Storing-top-result-as-variable-then-displaying-systems-with-that/m-p/555370#M157646 rupkumar4sec 2021-06-10T19:15:22Z