Splunk Search

Storing top result as variable then displaying systems with that variable

jlovik
Explorer

For some reason my search is not acting as expected. I am trying to produce a list of systems with the specific isolatedCVE I get from the TOP command. But instead of getting stats count of systems with the isolatedCVE i get just the TOP output still as seen below. It seems like the TOP command somehow trumps the second set of commands and i dont understand why.

output for this command = 

 

 

VulnerabilityCVEIDs	count	percent	isolatedCVE
CVE-2021-31959	       106      29.12  	 CVE-2021-31959

 

 

 

Full search =

 

 

| search index=rapid7 sourcetype="vuln_db"
| eval Epoch_Time=strptime(VulnerabilityPublishedDate, "%Y-%m-%d") 
| eval disctime=strftime(_time, "%Y-%m-%d") 
| eval Addtime=strftime(Epoch_Time + (30 * 86400), "%Y-%m-%d") 
| where VulnerabilityTitle LIKE "Microsoft%" AND Addtime > disctime 
| top VulnerabilityCVEIDs limit=1 
| eval isolatedCVE=VulnerabilityCVEIDs 
| appendcols 
    [| search index=rapid7 sourcetype="vuln_db" VulnerabilityCVEIDs=isolatedCVE
    | dedup AssetNames 
    | dedup AssetIPAddress 
    | stats count by AssetIPAddress AssetNames User VulnerabilityCVEIDs
    | fields - count]

 

 

  

Labels (2)
0 Karma

rupkumar4sec
Path Finder

You didn't get stats count of systems with the isolatedCVE because you have that in a subsearch for appendcols. appendcols will just add the output as a columns to existing main results). So if your appendcols worked correctly, it will just add "AssetIPAddress, AssetNames ,User,VulnerabilityCVEIDs" colunms to your search results. 

But that appendcols won't do anything unless you have any events where VulnerabilityCVEIDs has literal value  'isolatedCVE". 


Note1 : isolatedCVE field you created using eval doesn't exist in the subsearch you used for appendcols command.
Note 2:  field1=field2 can be used only with where command 
https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandUsage#Comparing_two_fi... 

0 Karma

rupkumar4sec
Path Finder

To get the result you want, you have to use "join" command, where you can use VulnerabilityCVEIDs  and common field and get the other fields you need from the main search.



0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...