Splunk Enterprise Security

Does Splunk recognize a fraction value in a field as number?

ivan128
Explorer

Hi all, I have the following search that calculates a risk value based on a formula:

index=EX  sourcetype=EX | dedup host-ip, plugin_name, plugin_family, severity, "ports{}.port", "ports{}.transport" | eval vulhost=if (severity="critical" or severity="high" or severity="medium" or severity="low",'host-ip',null())   | bucket _time  | stats dc(host-ip) as TH, dc(vulhost) as VH, first(date_month) as ETime, count(eval(severity="critical")) as VH1, count(eval(severity="high")) as VH2, count(eval(severity="medium")) as VH3, count(eval(severity="low")) as VH4, count by _time | fillnull critical, high,medium,low,VH1,VH2,VH3,VH4   | eval RiskValueL=round((VH1+0.75*VH2+0.5*VH3+0.1*VH4)/(VH1+VH2+VH3+VH4)*(VH/TH),5)

The end result is a value on RiskValueL that is a fraction, which I assumed it was considered as numeric value, however when I tried to visualize it with the Single Value it showed other value for the visualization. Just in case I tried to use |convert num(RiskValueL) in case this value was considered something else but it does not work, it showed a 0 in the single value visualization. I also isolated the value with |table RiskValueL so the statistics tab would show only the RiskValueL in case Splunk was picking up other value for the visualization (as I suspected it was doing due to the visualization output) but it presents a 0 in the visualization tab.

Any ideas on why this is happening or if I'm doing something wrong here?
Thanks in advance.

0 Karma

jawaharas
Motivator
  1. Which version of Splunk you are using?

  2. can you confirm whether the calculated value of RiskValueL variable is less than 1?

  3. Also, what is the value of RiskValueL shown under 'Statistics' tab and what's the modified value you get under 'Visualization' tab when you 'Single Value Visualization'

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...