Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Storing top result as variable then displaying systems with that variable

jlovik
Explorer
‎06-10-2021 09:36 AM

For some reason my search is not acting as expected. I am trying to produce a list of systems with the specific isolatedCVE I get from the TOP command. But instead of getting stats count of systems with the isolatedCVE i get just the TOP output still as seen below. It seems like the TOP command somehow trumps the second set of commands and i dont understand why.

output for this command = 

 

 

VulnerabilityCVEIDs	count	percent	isolatedCVE
CVE-2021-31959	       106      29.12  	 CVE-2021-31959

 

 

 

Full search =

 

 

| search index=rapid7 sourcetype="vuln_db"
| eval Epoch_Time=strptime(VulnerabilityPublishedDate, "%Y-%m-%d") 
| eval disctime=strftime(_time, "%Y-%m-%d") 
| eval Addtime=strftime(Epoch_Time + (30 * 86400), "%Y-%m-%d") 
| where VulnerabilityTitle LIKE "Microsoft%" AND Addtime > disctime 
| top VulnerabilityCVEIDs limit=1 
| eval isolatedCVE=VulnerabilityCVEIDs 
| appendcols 
    [| search index=rapid7 sourcetype="vuln_db" VulnerabilityCVEIDs=isolatedCVE
    | dedup AssetNames 
    | dedup AssetIPAddress 
    | stats count by AssetIPAddress AssetNames User VulnerabilityCVEIDs
    | fields - count]

 

 

  

Labels (3)
Labels
0 Karma
Reply

rupkumar4sec
Path Finder
‎06-10-2021 12:08 PM

You didn't get stats count of systems with the isolatedCVE because you have that in a subsearch for appendcols. appendcols will just add the output as a columns to existing main results). So if your appendcols worked correctly, it will just add "AssetIPAddress, AssetNames ,User,VulnerabilityCVEIDs" colunms to your search results. 

But that appendcols won't do anything unless you have any events where VulnerabilityCVEIDs has literal value  'isolatedCVE". 


Note1 : isolatedCVE field you created using eval doesn't exist in the subsearch you used for appendcols command.
Note 2:  field1=field2 can be used only with where command 
https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandUsage#Comparing_two_fi... 

0 Karma
Reply

rupkumar4sec
Path Finder
‎06-10-2021 12:15 PM

To get the result you want, you have to use "join" command, where you can use VulnerabilityCVEIDs  and common field and get the other fields you need from the main search.



0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...