Splunk Search

Multisearch on one index. need to add wieght to results and Timechart final results

matt1t
Explorer

All, I've been banging my head against the wall on this. Maybe its not possible, I don't know. I'm doing a multi search and adding weight to the results depending on the severity. My main goal is to do all the "work" and timechart the end score. Here is my code, I'm sure I'm looking at this wrong. Any direction is appreciated.

index=security_vulnerabilities hasBeenMitigated=false ip="10.7*" severity!=informational

| dedup _raw
| eval crisk=case(severity=="critical",".35")
| search crisk=*

| timechart sum(crisk) as riskc
| eval diffc=297-riskc

| appendcols [search index=security_vulnerabilities hasBeenMitigated=false ip="10.7*" severity!=informational
| dedup _raw
| eval hrisk=case(severity=="high",".30")
| search hrisk=*

| timechart sum(hrisk) as riskh
| eval diffh=255-riskh ]

| appendcols [search index=security_vulnerabilities hasBeenMitigated=false ip="10.7*" severity!=informational
| dedup _raw
| eval mrisk=case(severity=="medium",".15")
| search mrisk=*

| timechart sum(mrisk) as riskhm
| eval diffm=127-riskm ]

| appendcols [search index=security_vulnerabilities hasBeenMitigated=false ip="10.7*" severity!=informational
| dedup _raw
| eval lrisk=case(severity=="low",".10")
| search lrisk=*

| timechart sum(lrisk) as riskhl
| eval diffl=85-riskl ]
| timechart score=(diffc+diffh+diffm+diffl)

What I have found, is that I can only sum the days risk(x) with the timechart command. I really don't need to use this command | timechart sum(lrisk) as riskhl, however this is the only way I can get the results I need. Below is the results displayed. As you see I am missing output I want, like diffm diffl and score.

_time riskc diffc diffh riskh riskhl riskhm
2019-12-17 62.30 234.70 74.40 180.60 34.50 76.50
2019-12-18 59.15 237.85 82.80 172.20 34.50 76.05
2019-12-19 61.60 235.40 79.20 175.80 34.30 85.80
2019-12-20 62.65 234.35 78.30 176.70 34.30 85.95
2019-12-21 8.40 288.60 238.80 16.20 1.50 5.10
2019-12-22 61.95 235.05 78.90 176.10 34.60 91.20
2019-12-23 135.45 161.55 -115.50 370.50 71.60 194.55

Thanks for looking.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There's no need for multiple searches with the same criteria. Try this query:

index=security_vulnerabilities hasBeenMitigated=false ip="10.7*" severity!=informational
| eval crisk=case(severity=="critical",".35"), hrisk=case(severity=="high",".30"), mrisk=case(severity=="medium",".15"),  lrisk=case(severity=="low",".10") 
| stats sum(crisk) as riskc, sum(hrisk) as riskh, sum(mrisk) as riskm, sum(lrisk) as riskl
| eval diffc=297-riskc, diffh=255-riskh, diffm=127-riskm, diffl=85-riskl
| eval score=(diffc+diffh+diffm+diffl)
| table _time riskc diffc riskh diffh riskm diffm riskhl diffl score
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

There's no need for multiple searches with the same criteria. Try this query:

index=security_vulnerabilities hasBeenMitigated=false ip="10.7*" severity!=informational
| eval crisk=case(severity=="critical",".35"), hrisk=case(severity=="high",".30"), mrisk=case(severity=="medium",".15"),  lrisk=case(severity=="low",".10") 
| stats sum(crisk) as riskc, sum(hrisk) as riskh, sum(mrisk) as riskm, sum(lrisk) as riskl
| eval diffc=297-riskc, diffh=255-riskh, diffm=127-riskm, diffl=85-riskl
| eval score=(diffc+diffh+diffm+diffl)
| table _time riskc diffc riskh diffh riskm diffm riskhl diffl score
---
If this reply helps you, Karma would be appreciated.

matt1t
Explorer

Rich, you nailed it thanks. I originally did use a single case statement, I didn't realize you could break it up like that. Also, I changed the | stats sum(crisk) as riskc, sum(hrisk) as riskh, sum(mrisk) as riskm, sum(lrisk) as riskl to
| timechart sum(crisk) as riskc, sum(hrisk) as riskh, sum(mrisk) as riskm, sum(lrisk) as riskl, which now gives me the correct results. I'll need to understand the how stats sum and timechart sum would cause different calculation. Thanks again!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...