I'm creating a dashboard that lets users input a comma delimited list of CVE's to search for. I'm trying to display a table that shows the number of times each CVE was found. I know how to display the number if the CVE was in the data but I'm struggling to find out how to display 0 for CVE's that aren't in the data.
I have a base query that uses tstats (since it runs against a data model) and I can run any additional SPL off the base query in the table panel. The base query looks like this
<form>
<label>Vulnerability Distribution</label>
<init>
<set token="tok_query">base</set>
</init>
<search>
<query>| makeresults count=1
| eval Vulnerabilities.cve=if("$cves$"=="*",null(),split($cves|s$,","))
| format
| eval search=if(search=="NOT ()","","AND ".search)
</query>
<done>
<set token="tok_query">$result.search$</set>
</done>
</search>
<search id="base">
<query>
| tstats latest(Vulnerabilities.cve) as cves latest(Vulnerabilities.Vuln_Mgmt.vulnerability_name) as vulnerability_name max(Vulnerabilities.Vuln_Mgmt.age) as age
`vm_datamodel_default_filter` $tok_query$
by Vulnerabilities.Vuln_Mgmt.dest_ip,Vulnerabilities.Vuln_Mgmt.vulnerability_id
| rename Vulnerabilities.Vuln_Mgmt.* as *
</query>
the vm_datamodel_default_filter macro just has our normal filters (i.e. WHERE severity > 3 AND status=open...)
The panel query that shows the count for CVE's it found looks like this:
<panel>
<title>Vulnerability Distribution</title>
<table>
<search base="base">
<query>| stats latest(cves) as cves dc(dest_ip) as vulnerable_assets by vulnerability_id</query>
</search>
</table>
</panel>
I just can't figure out how to get the table to include 0 for CVE's not found.
Any help would be greatly appreciated
I found the answer here: https://community.splunk.com/t5/Splunk-Search/Display-a-result-when-the-count-0/m-p/145366