Splunk Search

Storing top result as variable then displaying systems with that variable

jlovik
Explorer

For some reason my search is not acting as expected. I am trying to produce a list of systems with the specific isolatedCVE I get from the TOP command. But instead of getting stats count of systems with the isolatedCVE i get just the TOP output still as seen below. It seems like the TOP command somehow trumps the second set of commands and i dont understand why.

output for this command = 

 

 

VulnerabilityCVEIDs	count	percent	isolatedCVE
CVE-2021-31959	       106      29.12  	 CVE-2021-31959

 

 

 

Full search =

 

 

| search index=rapid7 sourcetype="vuln_db"
| eval Epoch_Time=strptime(VulnerabilityPublishedDate, "%Y-%m-%d") 
| eval disctime=strftime(_time, "%Y-%m-%d") 
| eval Addtime=strftime(Epoch_Time + (30 * 86400), "%Y-%m-%d") 
| where VulnerabilityTitle LIKE "Microsoft%" AND Addtime > disctime 
| top VulnerabilityCVEIDs limit=1 
| eval isolatedCVE=VulnerabilityCVEIDs 
| appendcols 
    [| search index=rapid7 sourcetype="vuln_db" VulnerabilityCVEIDs=isolatedCVE
    | dedup AssetNames 
    | dedup AssetIPAddress 
    | stats count by AssetIPAddress AssetNames User VulnerabilityCVEIDs
    | fields - count]

 

 

  

Labels (3)
0 Karma

rupkumar4sec
Path Finder

You didn't get stats count of systems with the isolatedCVE because you have that in a subsearch for appendcols. appendcols will just add the output as a columns to existing main results). So if your appendcols worked correctly, it will just add "AssetIPAddress, AssetNames ,User,VulnerabilityCVEIDs" colunms to your search results. 

But that appendcols won't do anything unless you have any events where VulnerabilityCVEIDs has literal value  'isolatedCVE". 


Note1 : isolatedCVE field you created using eval doesn't exist in the subsearch you used for appendcols command.
Note 2:  field1=field2 can be used only with where command 
https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandUsage#Comparing_two_fi... 

0 Karma

rupkumar4sec
Path Finder

To get the result you want, you have to use "join" command, where you can use VulnerabilityCVEIDs  and common field and get the other fields you need from the main search.



0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...