Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to show a row for every day in my results.

frostyflamez
Explorer
‎04-07-2021 10:44 AM

The following search works well, but I'm not able to get it to occur for daily results with each day getting a row in the results.  How can I get it to provide daily results?

index=cdb_summary source=CDM_*_Daily_Summary sourcetype=vuln_summary OR (sourcetype=assetmanager_summary devicetype!=npvw
[| inputlookup IT_Systems where Status="Operational" OR Status="Modification"
| fields fismaid] ) fismaid=* 
| fields asset_id,hostname,ipaddress,ec2_instance_id,devicetype,os,everSeenBy,firstSeen,lastScan,last_scan_attempt_scandate,last_scan_attempt_credentialed,Credentialed_Scan,lastSeen,fismaid,CriticalCount,HighCount,Criticals,Highs,TotalAssetScore ,AuthenticationRequired,CriticalAssetScore,HighAssetScore
| stats values(*) as * by asset_id
| eval elast=strptime(lastSeen,"%Y-%m-%d %H:%M:%S")
| where elast>=relative_time(now(),"@mon")
| eval AutoFail=if(AuthenticationRequired=="1" AND (Credentialed_Scan=="false" OR isnull(Credentialed_Scan)),1,0)
| eval CriticalPoints=CriticalCount*12, HighPoints=HighCount*4
| eval CriticalPoints=if(CriticalPoints>60,60,CriticalPoints), HighPoints=if(HighPoints>40,40,HighPoints)
| eval PointsLost=CriticalPoints + HighPoints
| eventstats sum(PointsLost) as TotalPointsLost,sum(TotalAssetScore) as TotalScore, dc(asset_id) as TotalAssets, sum(AutoFail) as AutoFailTotal, count(eval(isnull(Credentialed_Scan))) as MissingScans
| eval Percent_to_AutoFails=round(AutoFailTotal/TotalAssets*100)
| eval Percent_MissingScans=round(MissingScans/TotalAssets*100)
| eval Percent_PointsLost=round(TotalPointsLost/TotalAssets)
| eval VULN_Score= round(TotalScore/TotalAssets)
| lookup IT_Systems fismaid output Title , hva
| replace 1 with "True", 0 with "False" in hva
| rename hva as "High Value Assets"
| table VULN_Score, Percent_MissingScans,TotalAssets,Percent_PointsLost
| stats values(*) as *

 

I tried adding | bin and by bucket to get the below search, which returns zero results, but does match on events.

 

 

index=cdb_summary source=CDM_*_Daily_Summary sourcetype=vuln_summary OR (sourcetype=assetmanager_summary devicetype!=npvw
[| inputlookup IT_Systems where Status="Operational" OR Status="Modification"
| fields fismaid] ) fismaid=* | bin span=1d _time
| fields asset_id,hostname,ipaddress,ec2_instance_id,devicetype,os,everSeenBy,firstSeen,lastScan,last_scan_attempt_scandate,last_scan_attempt_credentialed,Credentialed_Scan,lastSeen,fismaid,CriticalCount,HighCount,Criticals,Highs,TotalAssetScore ,AuthenticationRequired,CriticalAssetScore,HighAssetScore
| stats values(*) as * by asset_id by _time
| eval elast=strptime(lastSeen,"%Y-%m-%d %H:%M:%S")
| where elast>=relative_time(now(),"@mon")
| eval AutoFail=if(AuthenticationRequired=="1" AND (Credentialed_Scan=="false" OR isnull(Credentialed_Scan)),1,0)
| eval CriticalPoints=CriticalCount*12, HighPoints=HighCount*4
| eval CriticalPoints=if(CriticalPoints>60,60,CriticalPoints), HighPoints=if(HighPoints>40,40,HighPoints)
| eval PointsLost=CriticalPoints + HighPoints
| eventstats sum(PointsLost) as TotalPointsLost,sum(TotalAssetScore) as TotalScore, dc(asset_id) as TotalAssets, sum(AutoFail) as AutoFailTotal, count(eval(isnull(Credentialed_Scan))) as MissingScans
| eval Percent_to_AutoFails=round(AutoFailTotal/TotalAssets*100)
| eval Percent_MissingScans=round(MissingScans/TotalAssets*100)
| eval Percent_PointsLost=round(TotalPointsLost/TotalAssets)
| eval VULN_Score= round(TotalScore/TotalAssets)
| lookup IT_Systems fismaid output Title , hva
| replace 1 with "True", 0 with "False" in hva
| rename hva as "High Value Assets"
| table VULN_Score, Percent_MissingScans,TotalAssets,Percent_PointsLost
| stats values(*) as *

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-07-2021 03:27 PM

This is wrong

| stats values(*) as * by asset_id by _time

should be

| stats values(*) as * by asset_id _time

i.e. it thinks you are splitting by 3 fields (asset_id, by, _time)

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-07-2021 03:27 PM

This is wrong

| stats values(*) as * by asset_id by _time

should be

| stats values(*) as * by asset_id _time

i.e. it thinks you are splitting by 3 fields (asset_id, by, _time)

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-07-2021 11:30 AM

Your large fields command doesn't include _time so the stats may not have anything to work with?

Reply
Solved! Jump to solution

frostyflamez
Explorer
‎04-07-2021 11:34 AM

I added _time to the fields and received the same result

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-07-2021 12:48 PM

At what point do you get zero results? Try removing a line at a time until you find out when the results return.

0 Karma
Reply
Solved! Jump to solution

frostyflamez
Explorer
‎04-07-2021 01:00 PM

When I remove _time and | bin span=1d, it returns results.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-07-2021 03:08 PM

Are you saying that 

index=cdb_summary source=CDM_*_Daily_Summary sourcetype=vuln_summary OR (sourcetype=assetmanager_summary devicetype!=npvw
[| inputlookup IT_Systems where Status="Operational" OR Status="Modification"
| fields fismaid] ) fismaid=*

gives you results but

index=cdb_summary source=CDM_*_Daily_Summary sourcetype=vuln_summary OR (sourcetype=assetmanager_summary devicetype!=npvw
[| inputlookup IT_Systems where Status="Operational" OR Status="Modification"
| fields fismaid] ) fismaid=* | bin span=1d _time

doesn't?

If so, what field has your time value in?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...