Expanding data within my eval search

AttarSingh1 — Thu, 23 Feb 2023 15:06:33 GMT

index=data severity IN ("critical","high","medium","low")
| eval TopHost =
[ search index=tenable severity IN ("critical","high","medium","low")
| where len(dnsName)>0
| dedup dnsName,solution
| dedup dnsName,pluginText
| rex field=pluginName "^(?<VulnName>(?:\w+\s+){2})"
| dedup dnsName,VulnName
| top limit=1 dnsName
| rename dnsName as query
| fields query
| head 1]

| where dnsName=TopHost
| table dnsName, ip

My query above works, but missing one thing. Right now it is getting the first result ( using head command ). I am trying to do first 5 results and store that to my eval variable. I tried to change head 5 but got errors. Any help is appreciated. Thanks

Attached error

Re: Expanding data within my eval search

ITWhisperer — Thu, 23 Feb 2023 15:36:35 GMT

Try something like this

index=data severity IN ("critical","high","medium","low") | eval TopHost = split([ search index=tenable severity IN ("critical","high","medium","low") | where len(dnsName)>0 | dedup dnsName,solution | dedup dnsName,pluginText | rex field=pluginName "^(?<VulnName>(?:\w+\s+){2})" | dedup dnsName,VulnName | top limit=1 dnsName | rename dnsName as query | fields query | head 5 | format "\"" "" "" "" "" "\""]," ") | where dnsName=TopHost | table dnsName, ip

This assumes dnsName has no spaces in it

topic Re: Expanding data within my eval search in Splunk Search

Expanding data within my eval search

Re: Expanding data within my eval search