Hi all, I have the following search that calculates a risk value based on a formula:
index=EX sourcetype=EX | dedup host-ip, plugin_name, plugin_family, severity, "ports{}.port", "ports{}.transport" | eval vulhost=if (severity="critical" or severity="high" or severity="medium" or severity="low",'host-ip',null()) | bucket _time | stats dc(host-ip) as TH, dc(vulhost) as VH, first(date_month) as ETime, count(eval(severity="critical")) as VH1, count(eval(severity="high")) as VH2, count(eval(severity="medium")) as VH3, count(eval(severity="low")) as VH4, count by _time | fillnull critical, high,medium,low,VH1,VH2,VH3,VH4 | eval RiskValueL=round((VH1+0.75*VH2+0.5*VH3+0.1*VH4)/(VH1+VH2+VH3+VH4)*(VH/TH),5)
The end result is a value on RiskValueL that is a fraction, which I assumed it was considered as numeric value, however when I tried to visualize it with the Single Value it showed other value for the visualization. Just in case I tried to use |convert num(RiskValueL)
in case this value was considered something else but it does not work, it showed a 0 in the single value visualization. I also isolated the value with |table RiskValueL
so the statistics tab would show only the RiskValueL in case Splunk was picking up other value for the visualization (as I suspected it was doing due to the visualization output) but it presents a 0 in the visualization tab.
Any ideas on why this is happening or if I'm doing something wrong here?
Thanks in advance.
Which version of Splunk you are using?
can you confirm whether the calculated value of RiskValueL variable is less than 1?
Also, what is the value of RiskValueL shown under 'Statistics' tab and what's the modified value you get under 'Visualization' tab when you 'Single Value Visualization'