Splunk Search

How to search using comma delimited list and count results for each token in the input (even if 0 results are found)?

cvg1wby
Explorer

I'm creating a dashboard that lets users input a comma delimited list of CVE's to search for.  I'm trying to display a table that shows the number of times each CVE was found.  I know how to display the number if the CVE was in the data but I'm struggling to find out how to display 0 for CVE's that aren't in the data.

I have a base query that uses tstats (since it runs against a data model) and I can run any additional SPL off the base query in the table panel.   The base query looks like this

 

<form>
  <label>Vulnerability Distribution</label>
  <init>
    <set token="tok_query">base</set>
  </init>
  <search>
    <query>| makeresults count=1 
| eval Vulnerabilities.cve=if("$cves$"=="*",null(),split($cves|s$,","))
| format
| eval search=if(search=="NOT ()","","AND ".search)
</query>
    <done>
      <set token="tok_query">$result.search$</set>
    </done>
  </search>
  <search id="base">
    <query>
      | tstats latest(Vulnerabilities.cve) as cves latest(Vulnerabilities.Vuln_Mgmt.vulnerability_name) as vulnerability_name max(Vulnerabilities.Vuln_Mgmt.age) as age
`vm_datamodel_default_filter` $tok_query$
by Vulnerabilities.Vuln_Mgmt.dest_ip,Vulnerabilities.Vuln_Mgmt.vulnerability_id
| rename Vulnerabilities.Vuln_Mgmt.* as *
</query>

 

 

 

the vm_datamodel_default_filter macro just has our normal filters (i.e. WHERE severity > 3 AND status=open...)

The panel query that shows the count for CVE's it found looks like this:

 

 

 

<panel>
  <title>Vulnerability Distribution</title>
  <table>
    <search base="base">
      <query>| stats latest(cves) as cves dc(dest_ip) as vulnerable_assets by vulnerability_id</query>
    </search>
  </table>
</panel>

 

 

 

I just can't figure out how to get the table to include 0 for CVE's not found.

Any help would be greatly appreciated

Labels (3)
Tags (1)
0 Karma
1 Solution
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...