https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577057#M1371 <P>The stats expression&nbsp;<SPAN><FONT face="courier new,courier">count(eval(severity="low")) as low</FONT> will always return the same value, regardless of the severity level.&nbsp; This is because the <FONT face="courier new,courier">eval</FONT> function returns either 0 or 1 and <FONT face="courier new,courier">count</FONT> merely says how many 0s and 1s there were - not what you're looking for.</SPAN></P><P><SPAN>Try using <FONT face="courier new,courier">sum(eval(severity="low")) as low</FONT>.</SPAN></P> Thu, 02 Dec 2021 13:35:39 GMT richgalloway 2021-12-02T13:35:39Z https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/576947#M1370 <P>Hello,&nbsp;</P><P>I am trying to create a SPL query that will provide the following:</P><P><STRONG>Active_Repository&nbsp;</STRONG></P><P>Qualifying Statement - <STRONG>Scan Policy</STRONG></P><P>Qualifying Statement - <STRONG>Credentialed_Scan:true</STRONG></P><P><STRONG>Agent_Repository&nbsp;</STRONG></P><P>Qualifying Statement - <STRONG>Agent_Policy</STRONG></P><P>Qualifying Statement - <STRONG>Credentialed checks : yes</STRONG>&nbsp;</P><P><U><STRONG>Query&nbsp;</STRONG></U></P><P>earliest=-7d@d index=acas "Credentialed Check" OR "credentialed check"</P><P>| rex field=operatingSystem "^(?P&lt;OS_Type&gt;\D+)\s(?P&lt;OS_Version&gt;.*)"</P><P>| rex field=dnsName "^(?P&lt;hostname&gt;\w+)\.(?P&lt;domain&gt;.*)$"</P><P>| rex field=system "^(?P&lt;manufacture&gt;\w+)\.(?P&lt;serialnumber&gt;.*)$</P><P>| eval AWS=if(like(dnsName,"cloud%"),"TRUE,"FALSE")</P><P>| iplocation ip</P><P>| eventstats count(eval(severity="low")) as low, count(eval(severity="medium")) as medium, count(eval(severity="critical")) as critical by ip,hostname, plugin_id</P><P>| dedup ip, hostname,plugin_id</P><P>| eval total = low+medium+high+critical</P><P>| where total&gt;4</P><P>| table ip, repository.dataFormat, netbiosName, dnsName, AWS, hostname, macAddress, OS_Type, OS_Version, operatingSystem, SystemManufacutre, SystemSerialNumber, SystemModel, AWSAccountNumber, AWSInstanceID, AWSENI, plugin_id, pluginName, repository.name, cpe, low, medium, high, critical, total, Country, lat, lon</P><P>&nbsp;</P><P>Unfortunately, I am not able to get all severity scores.&nbsp; &nbsp;I keep getting a total of either a 0 or 1 for (low, medium, high, critical)&nbsp; severity.&nbsp; &nbsp;</P><P>Has anyone come across this issue?&nbsp;&nbsp;</P> Wed, 01 Dec 2021 21:01:32 GMT https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/576947#M1370 Omarop 2021-12-01T21:01:32Z https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577057#M1371 <P>The stats expression&nbsp;<SPAN><FONT face="courier new,courier">count(eval(severity="low")) as low</FONT> will always return the same value, regardless of the severity level.&nbsp; This is because the <FONT face="courier new,courier">eval</FONT> function returns either 0 or 1 and <FONT face="courier new,courier">count</FONT> merely says how many 0s and 1s there were - not what you're looking for.</SPAN></P><P><SPAN>Try using <FONT face="courier new,courier">sum(eval(severity="low")) as low</FONT>.</SPAN></P> Thu, 02 Dec 2021 13:35:39 GMT https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577057#M1371 richgalloway 2021-12-02T13:35:39Z https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577122#M1372 <P>Thank you for the response.&nbsp; I did try using the command you provided sum(eval(severity="low")) as low but it only comes back for the low severity level but does not for medium, high, and critical.&nbsp; I keep getting zero.</P> Thu, 02 Dec 2021 18:48:18 GMT https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577122#M1372 Omarop 2021-12-02T18:48:18Z https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577125#M1373 <P>Do you have events with non-low severity?&nbsp; Please share the complete, modified query.&nbsp; It would help to see some sample events, too.</P> Thu, 02 Dec 2021 19:12:17 GMT https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577125#M1373 richgalloway 2021-12-02T19:12:17Z https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577135#M1374 <P>Sure down below is the modified SPL QUERY</P><P><U><STRONG>Query&nbsp;</STRONG></U></P><P>earliest=-7d@d index=acas "Credentialed Check" OR "credentialed check"</P><P>| rex field=operatingSystem "^(?P&lt;OS_Type&gt;\D+)\s(?P&lt;OS_Version&gt;.*)"</P><P>| rex field=dnsName "^(?P&lt;hostname&gt;\w+)\.(?P&lt;domain&gt;.*)$"</P><P>| rex field=system "^(?P&lt;manufacture&gt;\w+)\.(?P&lt;serialnumber&gt;.*)$</P><P>| eval AWS=if(like(dnsName,"cloud%"),"TRUE,"FALSE")</P><P>| iplocation ip</P><P>| eventstats sum(eval(severity="low")) as low, count(eval(severity="medium")) as medium, count(eval(severity="critical")) as critical by ip,hostname, plugin_id</P><P>| dedup ip, hostname,plugin_id</P><P>| eval total = low+medium+high+critical</P><P>| where total&gt;4</P><P>| table ip, repository.dataFormat, netbiosName, dnsName, AWS, hostname, macAddress, OS_Type, OS_Version, operatingSystem, SystemManufacutre, SystemSerialNumber, SystemModel, AWSAccountNumber, AWSInstanceID, AWSENI, plugin_id, pluginName, repository.name, cpe, low, medium, high, critical, total, Country, lat, lon</P> Thu, 02 Dec 2021 20:17:15 GMT https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577135#M1374 Omarop 2021-12-02T20:17:15Z https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577217#M1375 <P>The <FONT face="courier new,courier">eventstats</FONT> command was updated for severity=low, but not for the other severity levels.&nbsp; Apply the same change (s/count/sum/) to them and see what results you get.</P> Fri, 03 Dec 2021 13:09:47 GMT https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577217#M1375 richgalloway 2021-12-03T13:09:47Z https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577475#M1376 <P>I tried inputting the following and did not get any results.</P><P>| eventstats count sum(eval(severity="low")) as low, count sum(eval(severity="medium")) as medium, count sum(eval(severity="high")) as high, count sum(eval(severity="critical")) as critical</P> Mon, 06 Dec 2021 14:36:54 GMT https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577475#M1376 Omarop 2021-12-06T14:36:54Z https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577490#M1377 <P>I may have missed it in an earlier response, but the correct function is "sum", not "count sum".</P><LI-CODE lang="markup">| eventstats sum(eval(severity="low")) as low, sum(eval(severity="medium")) as medium, sum(eval(severity="high")) as high, sum(eval(severity="critical")) as critical</LI-CODE> Mon, 06 Dec 2021 16:40:16 GMT https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577490#M1377 richgalloway 2021-12-06T16:40:16Z https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577539#M1378 <P>I think the issue is that you are adding fields with null values and the result becomes null.</P><P>Try this before adding the values:</P><P><STRONG>| fillnull value=0 low medium high critical</STRONG><BR />| eval total=low+medium+high+critical<BR /><BR /></P><P>Here's a different way to skin the cat.</P><P>| eval {severity}=1<BR />| eventstats sum(low) AS low sum(medium) AS medium sum(high) AS high sum(critical) AS critical by<SPAN>&nbsp;ip,hostname, plugin_id</SPAN><BR />| fillnull value=0 low medium high critical<BR />| eval total=low+medium+high+critical<BR />| where total&gt;4</P> Tue, 07 Dec 2021 02:20:48 GMT https://community.splunk.com/t5/Training-Certification/SPL-QUERY/m-p/577539#M1378 johnhuang 2021-12-07T02:20:48Z