Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multisearch on one index. need to add wieght to re...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
matt1t
Explorer
12-24-2019
07:24 PM
All, I've been banging my head against the wall on this. Maybe its not possible, I don't know. I'm doing a multi search and adding weight to the results depending on the severity. My main goal is to do all the "work" and timechart the end score. Here is my code, I'm sure I'm looking at this wrong. Any direction is appreciated.
index=security_vulnerabilities hasBeenMitigated=false ip="10.7*" severity!=informational
| dedup _raw
| eval crisk=case(severity=="critical",".35")
| search crisk=*
| timechart sum(crisk) as riskc
| eval diffc=297-riskc
| appendcols [search index=security_vulnerabilities hasBeenMitigated=false ip="10.7*" severity!=informational
| dedup _raw
| eval hrisk=case(severity=="high",".30")
| search hrisk=*
| timechart sum(hrisk) as riskh
| eval diffh=255-riskh ]
| appendcols [search index=security_vulnerabilities hasBeenMitigated=false ip="10.7*" severity!=informational
| dedup _raw
| eval mrisk=case(severity=="medium",".15")
| search mrisk=*
| timechart sum(mrisk) as riskhm
| eval diffm=127-riskm ]
| appendcols [search index=security_vulnerabilities hasBeenMitigated=false ip="10.7*" severity!=informational
| dedup _raw
| eval lrisk=case(severity=="low",".10")
| search lrisk=*
| timechart sum(lrisk) as riskhl
| eval diffl=85-riskl ]
| timechart score=(diffc+diffh+diffm+diffl)
What I have found, is that I can only sum the days risk(x) with the timechart command. I really don't need to use this command | timechart sum(lrisk) as riskhl, however this is the only way I can get the results I need. Below is the results displayed. As you see I am missing output I want, like diffm diffl and score.
_time riskc diffc diffh riskh riskhl riskhm
2019-12-17 62.30 234.70 74.40 180.60 34.50 76.50
2019-12-18 59.15 237.85 82.80 172.20 34.50 76.05
2019-12-19 61.60 235.40 79.20 175.80 34.30 85.80
2019-12-20 62.65 234.35 78.30 176.70 34.30 85.95
2019-12-21 8.40 288.60 238.80 16.20 1.50 5.10
2019-12-22 61.95 235.05 78.90 176.10 34.60 91.20
2019-12-23 135.45 161.55 -115.50 370.50 71.60 194.55
Thanks for looking.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
12-25-2019
07:12 AM
There's no need for multiple searches with the same criteria. Try this query:
index=security_vulnerabilities hasBeenMitigated=false ip="10.7*" severity!=informational
| eval crisk=case(severity=="critical",".35"), hrisk=case(severity=="high",".30"), mrisk=case(severity=="medium",".15"), lrisk=case(severity=="low",".10")
| stats sum(crisk) as riskc, sum(hrisk) as riskh, sum(mrisk) as riskm, sum(lrisk) as riskl
| eval diffc=297-riskc, diffh=255-riskh, diffm=127-riskm, diffl=85-riskl
| eval score=(diffc+diffh+diffm+diffl)
| table _time riskc diffc riskh diffh riskm diffm riskhl diffl score
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
12-25-2019
07:12 AM
There's no need for multiple searches with the same criteria. Try this query:
index=security_vulnerabilities hasBeenMitigated=false ip="10.7*" severity!=informational
| eval crisk=case(severity=="critical",".35"), hrisk=case(severity=="high",".30"), mrisk=case(severity=="medium",".15"), lrisk=case(severity=="low",".10")
| stats sum(crisk) as riskc, sum(hrisk) as riskh, sum(mrisk) as riskm, sum(lrisk) as riskl
| eval diffc=297-riskc, diffh=255-riskh, diffm=127-riskm, diffl=85-riskl
| eval score=(diffc+diffh+diffm+diffl)
| table _time riskc diffc riskh diffh riskm diffm riskhl diffl score
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
matt1t
Explorer
01-02-2020
06:58 AM
Rich, you nailed it thanks. I originally did use a single case statement, I didn't realize you could break it up like that. Also, I changed the | stats sum(crisk) as riskc, sum(hrisk) as riskh, sum(mrisk) as riskm, sum(lrisk) as riskl to
| timechart sum(crisk) as riskc, sum(hrisk) as riskh, sum(mrisk) as riskm, sum(lrisk) as riskl, which now gives me the correct results. I'll need to understand the how stats sum and timechart sum would cause different calculation. Thanks again!
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
