For some reason my search is not acting as expected. I am trying to produce a list of systems with the specific isolatedCVE I get from the TOP command. But instead of getting stats count of systems with the isolatedCVE i get just the TOP output still as seen below. It seems like the TOP command somehow trumps the second set of commands and i dont understand why.
output for this command =
VulnerabilityCVEIDs count percent isolatedCVE CVE-2021-31959 106 29.12 CVE-2021-31959
Full search =
| search index=rapid7 sourcetype="vuln_db" | eval Epoch_Time=strptime(VulnerabilityPublishedDate, "%Y-%m-%d") | eval disctime=strftime(_time, "%Y-%m-%d") | eval Addtime=strftime(Epoch_Time + (30 * 86400), "%Y-%m-%d") | where VulnerabilityTitle LIKE "Microsoft%" AND Addtime > disctime | top VulnerabilityCVEIDs limit=1 | eval isolatedCVE=VulnerabilityCVEIDs | appendcols [| search index=rapid7 sourcetype="vuln_db" VulnerabilityCVEIDs=isolatedCVE | dedup AssetNames | dedup AssetIPAddress | stats count by AssetIPAddress AssetNames User VulnerabilityCVEIDs | fields - count]
You didn't get stats count of systems with the isolatedCVE because you have that in a subsearch for appendcols. appendcols will just add the output as a columns to existing main results). So if your appendcols worked correctly, it will just add "AssetIPAddress, AssetNames ,User,VulnerabilityCVEIDs" colunms to your search results.
But that appendcols won't do anything unless you have any events where VulnerabilityCVEIDs has literal value 'isolatedCVE".
Note1 : isolatedCVE field you created using eval doesn't exist in the subsearch you used for appendcols command.
Note 2: field1=field2 can be used only with where command