topic Re: Two fields are not populating, not sure why in Splunk Search

Two fields are not populating, not sure why

rkaakaty — Thu, 03 Aug 2017 14:48:08 GMT

Hello,

For some reason my SEVERITY, and CATEGORY field aren't showing any value..

Can anyone see why?

 index=nessus cve=*  
| eval ID=coalesce(id,plugin_id) 
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| rename cve as CVE, family_name as CATEGORY, risk_factor as SEVERITY
| stats sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| appendcols 
    [ search index=nessus 
    | rename host-ip as hostip 
    | stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id
    ] 
| rename Plugin_Name as TITLE
| eval Systemic_Score = CVSS_SCORE*HOSTS
| table ID, SEVERITY, TITLE, CATEGORY, CVSS_SCORE, HOSTS, plugin_id, Systemic_Score
| sort - Systemic_Score

Re: Two fields are not populating, not sure why

sbbadri — Tue, 29 Sep 2020 15:13:31 GMT

Does not family_name and risk_factor fields got extracted from events. Are you seeing those two fields in interesting fields section. Also executed below query and it should output some values,

index=nessus cve=* | table family_name risk_factor

if not producing any results. Then extract those two fields.

Re: Two fields are not populating, not sure why

gcusello — Tue, 29 Sep 2020 15:12:20 GMT

Hi rkaakaty,
after a stats command you have only fields of stats so after your first stats you have CVSS_SCORE, Plugin_Name and ID, after you add (with append command) hostips, IP, and plugin_id.
SEVERITY and CATEGORY aren't in stats commands, add values(SEVERITY) AS SEVERITY values(CATEGORY) AS CATEGORY to the first stats command.
Bye.
Giuseppe

Re: Two fields are not populating, not sure why

rkaakaty — Thu, 03 Aug 2017 16:14:12 GMT

Can you show me how you added it to my code?

Re: Two fields are not populating, not sure why

gcusello — Thu, 03 Aug 2017 16:29:44 GMT

In the first stats between stats and sum
Bye.
Giuseppe

Re: Two fields are not populating, not sure why

rkaakaty — Thu, 03 Aug 2017 19:11:08 GMT

I don't understand

Re: Two fields are not populating, not sure why

DalJeanis — Fri, 04 Aug 2017 00:01:20 GMT

updated to mark as code.

appendcols in that location does't seem like it's going to work right.

Re: Two fields are not populating, not sure why

gcusello — Fri, 04 Aug 2017 07:20:12 GMT

Hi rkaakaty,
try

 index=nessus cve=*  
 | eval ID=coalesce(id,plugin_id) 
 | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
 | rename cve as CVE, family_name as CATEGORY, risk_factor as SEVERITY
 | stats values(SEVERITY) AS SEVERITY values(CATEGORY) AS CATEGORY sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
 | appendcols 
     [ search index=nessus 
     | rename host-ip as hostip 
     | stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id
     ] 
 | rename Plugin_Name as TITLE
 | eval Systemic_Score = CVSS_SCORE*HOSTS
 | table ID, SEVERITY, TITLE, CATEGORY, CVSS_SCORE, HOSTS, plugin_id, Systemic_Score
 | sort - Systemic_Score

Bye.
Giuseppe

Re: Two fields are not populating, not sure why

rkaakaty — Tue, 29 Sep 2020 15:14:36 GMT

See now that fixed my category and severity field, but now my HOSTS, Systemic_Score, and plugin_id aren't populating

Re: Two fields are not populating, not sure why

gcusello — Fri, 04 Aug 2017 15:00:46 GMT

if these fields are in the nessus index probably there is the same problem, try:

index=nessus cve=*  
| eval ID=coalesce(id,plugin_id) 
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| rename cve as CVE, family_name as CATEGORY, risk_factor as SEVERITY
| stats values(SEVERITY) AS SEVERITY values(CATEGORY) AS CATEGORY 
values(HOSTS) AS HOSTS values(Systemic_Score) AS Systemic_Score values(plugin_id) AS plugin_id sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| appendcols 
      [ search index=nessus 
      | rename host-ip as hostip 
      | stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id
      ] 
| rename Plugin_Name as TITLE
| eval Systemic_Score = CVSS_SCORE*HOSTS
| table ID, SEVERITY, TITLE, CATEGORY, CVSS_SCORE, HOSTS, plugin_id, Systemic_Score
| sort - Systemic_Score

Bye.
Giuseppe

Re: Two fields are not populating, not sure why

rkaakaty — Fri, 04 Aug 2017 15:19:55 GMT

I still have the same problem... i'm not sure why

Re: Two fields are not populating, not sure why

gcusello — Fri, 04 Aug 2017 15:27:35 GMT

if you run your search until the first rename (before first stats), do you have all the wanted fields?

What is the meaning of appendcols?
remeber that (from https://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Appendcols ) "The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on."

What information do you want to add to the first stats results?

Bye.
Giuseppe