I'm creating a dashboard that lets users input a comma delimited list of CVE's to search for. I'm trying to display a table that shows the number of times each CVE was found. I know how to display the number if the CVE was in the data but I'm struggling to find out how to display 0 for CVE's that aren't in the data.
I have a base query that uses tstats (since it runs against a data model) and I can run any additional SPL off the base query in the table panel. The base query looks like this
<form> <label>Vulnerability Distribution</label> <init> <set token="tok_query">base</set> </init> <search> <query>| makeresults count=1 | eval Vulnerabilities.cve=if("$cves$"=="*",null(),split($cves|s$,",")) | format | eval search=if(search=="NOT ()","","AND ".search) </query> <done> <set token="tok_query">$result.search$</set> </done> </search> <search id="base"> <query> | tstats latest(Vulnerabilities.cve) as cves latest(Vulnerabilities.Vuln_Mgmt.vulnerability_name) as vulnerability_name max(Vulnerabilities.Vuln_Mgmt.age) as age `vm_datamodel_default_filter` $tok_query$ by Vulnerabilities.Vuln_Mgmt.dest_ip,Vulnerabilities.Vuln_Mgmt.vulnerability_id | rename Vulnerabilities.Vuln_Mgmt.* as * </query>
the vm_datamodel_default_filter macro just has our normal filters (i.e. WHERE severity > 3 AND status=open...)
The panel query that shows the count for CVE's it found looks like this:
<panel> <title>Vulnerability Distribution</title> <table> <search base="base"> <query>| stats latest(cves) as cves dc(dest_ip) as vulnerable_assets by vulnerability_id</query> </search> </table> </panel>
I just can't figure out how to get the table to include 0 for CVE's not found.
Any help would be greatly appreciated
I found the answer here: https://community.splunk.com/t5/Splunk-Search/Display-a-result-when-the-count-0/m-p/145366