I'm trying to figure out the percent of successful authentications from out vulnerability scans. There is a field named IP_Auth_Type and if I do a stats count by for that field I get the following:
I would like to add all those above-mentioned bullet points; add the Unix Successful and Windows Successful and divide it by the total of all the points.
This is what I have so far:
| inputlookup vulnresults.csv
| stats sum(Unix Failed) as UnixFailed_sum, sum(Unix Not Attempted) as UnixNotAttempted_sum, sum(Unix Successful) as UnixSuccessful_sum, sum(Windows Successful) as WindowsSuccessful_sum
| eval total=UnixFailed_sum + UnixNotAttempted_sum + UnixSuccessful_sum + WindowsSuccessful_sum
| eval ratio=(UnixSuccessful_sum + WindowsSuccessful_sum) / (total)
| table NA_sum UnixFailed_sum UnixNotAttempted_sum UnixSuccessful_sum WindowsSuccessful_sum total ratio
This doesn't bring any result, so any help would be greatly appreciated.
If it brings NO results, then there is a problem with some part of the search, often with invalid or incorrect field names.
So, the search seems technically OK, although you don't calculate NA_sum in the table.
If you remove all lines after the stats, do you get the 4 values from stats?
As there is nothing else that is removing data, it has to be that the fields in the lookup are not the ones you are using to calculate the results in the stats.
Note: You can easily calculate total in the stats command by adding the count, i.e.
| stats count as total sum("Unix Failed")...
Note that it's good practice to use quotes round fields with spaces.
Hi,
I sent through it all again and still get nothing. The items I'm trying to add and divide are not fields: they are name of results in a field called IP_Auth_Type. I'm sure that makes a difference but I'm not sure how.
Please post the search you are running in a <> codeblock and a screenshot of the results, so I can better understand what is occurring