topic Re: Why is my search not returning any results? in Splunk Search

Why is my search not returning any results?

rkaakaty — Wed, 19 Jul 2017 19:26:12 GMT

Can anyone tell me why I am not returning any results?

index=nessus cve=*
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) by ID 
| rename id as ID, cve as CVE, plugin_name as Plugin_Name, count(host-ip) as HOSTS
| table ID, Plugin_Name, CVSS_SCORE, HOSTS
| sort - CVSS_SCORE

Thank you.

Re: Why is my search not returning any results?

cmerriman — Wed, 19 Jul 2017 19:37:13 GMT

you need to include CVSS_SCORE in your stats command, you are not allowed to table it without bringing it forward. you can also rename your count(host-ip) in your stats command.

index=nessus cve=*
 | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score| rename id as ID, cve as CVE 
 | stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) as HOSTS sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID 
 | table ID, Plugin_Name, CVSS_SCORE, HOSTS
 | sort - CVSS_SCORE

Re: Why is my search not returning any results?

Grumpalot — Wed, 19 Jul 2017 19:37:42 GMT

Give this a try made a change to by ID since it seems to be id then you rename to ID

 index=nessus cve=*
 | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
 | stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) by id 
 | rename id as ID, cve as CVE, plugin_name as Plugin_Name, count(host-ip) as HOSTS
 | table ID, Plugin_Name, CVSS_SCORE, HOSTS
 | sort - CVSS_SCORE

Re: Why is my search not returning any results?

rkaakaty — Wed, 19 Jul 2017 19:52:59 GMT

Thank you,

Now i've run into a problem of only getting 0's as my HOSTS

Re: Why is my search not returning any results?

cmerriman — Wed, 19 Jul 2017 19:56:47 GMT

try this removing the two list commands or renaming the list(host-ip) as host-ip to list(host-ip) as host-ips to see if that works. you're counting host-ip after putting it into a list and naming it that field name.

Re: Why is my search not returning any results?

rkaakaty — Wed, 19 Jul 2017 20:01:08 GMT

Still the same result 😕

Re: Why is my search not returning any results?

cmerriman — Wed, 19 Jul 2017 20:03:33 GMT

one other thing to try:

 index=nessus cve=*
  | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score| rename id as ID, cve as CVE "host-ip" as hostip
  | stats list(hostip) as hostips, list(IP) as IP count(hostip) as HOSTS sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID 
  | table ID, Plugin_Name, CVSS_SCORE, HOSTS
  | sort - CVSS_SCORE

Re: Why is my search not returning any results?

rkaakaty — Thu, 20 Jul 2017 15:02:43 GMT

Unfortunately I am still getting 0 values for HOSTS

Re: Why is my search not returning any results?

Grumpalot — Thu, 20 Jul 2017 16:40:24 GMT

I think I see what the problem is; you have two searches that need to take place to match on ID from Plugin and plugin_ID from the scans. Give this search a try, it may take a bit longer. I'm going to use some of @cmerriman 's written code hope you don't mind.

index=nessus cve=*  
| eval ID=coalesce(id,plugin_id) 
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| rename cve as CVE
| stats sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| appendcols [search index=nessus 
| rename host-ip as hostip 
| stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id] 
| table ID, Plugin_Name, CVSS_SCORE, HOSTS 
| sort - CVSS_SCORE