Splunk Search

How to edit my search to use a custom field created with eval in my time chart search?

trevorr2004
Engager

I have a search that comes up with a score based off a custom formula from nessus scan results. I want to plot that vulnscore over the past 90 days IE the score from 0-30/30-60/60-90. Can anyone provide a little guidance on how I can make use of timechart with a custom eval field rather than simply running a search and using those results in the timechart. Listed below is my base search.

index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*" 
| dedup dest_dns signature_id 
|stats count by signature_id cvss_base_score 
|eval  scoreadjust=floor(cvss_base_score) 
| eval scoreadjust=round(pow(scoreadjust * 0.1, 3)*10,2)
|  eval riskscore=count*scoreadjust/5500
| stats sum(riskscore) as VulnScore 
0 Karma
1 Solution

sundareshr
Legend

Try this

index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*"  earliest=-90d@d 
| dedup dest_dns signature_id 
| eval range=case(_time>relative_time(now(), "-90d@d") AND _time<relative_time(now(), "-60d@d"), "60-90 days", _time>relative_time(now(), "-60d@d") AND _time<relative_time(now(), "-30d@d"), "30-60 days", _time>relative_time(now(), "-30d@d"), "0-30 days", 1=1, "UNK")
| stats count by range signature_id cvss_base_score 
| eval  scoreadjust=floor(cvss_base_score) 
| eval scoreadjust=round(pow(scoreadjust * 0.1, 3)*10,2)
| eval riskscore=count*scoreadjust/5500
| stats sum(riskscore) as VulnScore by range

View solution in original post

sundareshr
Legend

Try this

index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*"  earliest=-90d@d 
| dedup dest_dns signature_id 
| eval range=case(_time>relative_time(now(), "-90d@d") AND _time<relative_time(now(), "-60d@d"), "60-90 days", _time>relative_time(now(), "-60d@d") AND _time<relative_time(now(), "-30d@d"), "30-60 days", _time>relative_time(now(), "-30d@d"), "0-30 days", 1=1, "UNK")
| stats count by range signature_id cvss_base_score 
| eval  scoreadjust=floor(cvss_base_score) 
| eval scoreadjust=round(pow(scoreadjust * 0.1, 3)*10,2)
| eval riskscore=count*scoreadjust/5500
| stats sum(riskscore) as VulnScore by range

trevorr2004
Engager

This worked perfectly for a line graph. Do you have any suggestions on how I could use this same search to use the single value to give just a comparison from previous months?

0 Karma

sundareshr
Legend

Try this for the Prev Month comparison (I assume you are referring to trend in single value)

index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*"  earliest=-60d@d 
 | dedup dest_dns signature_id 
 | bin span=1mon _time
 | stats count by _time signature_id cvss_base_score 
 | eval  scoreadjust=floor(cvss_base_score) 
 | eval scoreadjust=round(pow(scoreadjust * 0.1, 3)*10,2)
 | eval riskscore=count*scoreadjust/5500
 | stats sum(riskscore) as VulnScore by _time
0 Karma

trevorr2004
Engager

This worked also. Final question, say I have for instance an eval

eval PatchScorePerHost=PatchScore/5550

and I don't need to sum but need to plot that in timetables also. Is there any function of the stat command to just plot the output of the final eval. Basically I am working on creating a risk score that we can track in splunk.

0 Karma

sundareshr
Legend

Try using values(PatchScorePerHost) for a dedup'd list OR list(PatchScorePerHost) for all entries

0 Karma

trevorr2004
Engager

I was able to rearrange my equation like such with your guidance.

index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*"     
| dedup dest_dns signature_id 
| bin span=1mon _time   
| stats count by _time signature_id cvss_base_score 
| eval  scoreadjust=floor(cvss_base_score)    
| eval scoreadjust=round(pow(scoreadjust,3)/100)   
| eval riskscore=count*scoreadjust/5500 
| eval my_time=_time 
| convert timeformat="%m-%Y" ctime(my_time)   
| stats  sum(riskscore) as VulnScore by my_time

Instead of using the static number of 5500, is there a way I could dynamically count my host scan then use that in an eval statement so

stats dc(dest_dns) and then use that instead of the 5500?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...