Splunk Search

How to search using comma delimited list and count results for each token in the input (even if 0 results are found)?


I'm creating a dashboard that lets users input a comma delimited list of CVE's to search for.  I'm trying to display a table that shows the number of times each CVE was found.  I know how to display the number if the CVE was in the data but I'm struggling to find out how to display 0 for CVE's that aren't in the data.

I have a base query that uses tstats (since it runs against a data model) and I can run any additional SPL off the base query in the table panel.   The base query looks like this


  <label>Vulnerability Distribution</label>
    <set token="tok_query">base</set>
    <query>| makeresults count=1 
| eval Vulnerabilities.cve=if("$cves$"=="*",null(),split($cves|s$,","))
| format
| eval search=if(search=="NOT ()","","AND ".search)
      <set token="tok_query">$result.search$</set>
  <search id="base">
      | tstats latest(Vulnerabilities.cve) as cves latest(Vulnerabilities.Vuln_Mgmt.vulnerability_name) as vulnerability_name max(Vulnerabilities.Vuln_Mgmt.age) as age
`vm_datamodel_default_filter` $tok_query$
by Vulnerabilities.Vuln_Mgmt.dest_ip,Vulnerabilities.Vuln_Mgmt.vulnerability_id
| rename Vulnerabilities.Vuln_Mgmt.* as *




the vm_datamodel_default_filter macro just has our normal filters (i.e. WHERE severity > 3 AND status=open...)

The panel query that shows the count for CVE's it found looks like this:




  <title>Vulnerability Distribution</title>
    <search base="base">
      <query>| stats latest(cves) as cves dc(dest_ip) as vulnerable_assets by vulnerability_id</query>




I just can't figure out how to get the table to include 0 for CVE's not found.

Any help would be greatly appreciated

Labels (3)
Tags (1)
0 Karma
1 Solution
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...