Splunk Search

Two fields are not populating, not sure why

rkaakaty
Path Finder

Hello,

For some reason my SEVERITY, and CATEGORY field aren't showing any value..

Can anyone see why?

 index=nessus cve=*  
| eval ID=coalesce(id,plugin_id) 
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| rename cve as CVE, family_name as CATEGORY, risk_factor as SEVERITY
| stats sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| appendcols 
    [ search index=nessus 
    | rename host-ip as hostip 
    | stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id
    ] 
| rename Plugin_Name as TITLE
| eval Systemic_Score = CVSS_SCORE*HOSTS
| table ID, SEVERITY, TITLE, CATEGORY, CVSS_SCORE, HOSTS, plugin_id, Systemic_Score
| sort - Systemic_Score
Tags (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

updated to mark as code.

appendcols in that location does't seem like it's going to work right.

0 Karma

gcusello
Legend

Hi rkaakaty,
after a stats command you have only fields of stats so after your first stats you have CVSS_SCORE, Plugin_Name and ID, after you add (with append command) hostips, IP, and plugin_id.
SEVERITY and CATEGORY aren't in stats commands, add values(SEVERITY) AS SEVERITY values(CATEGORY) AS CATEGORY to the first stats command.
Bye.
Giuseppe

0 Karma

rkaakaty
Path Finder

Can you show me how you added it to my code?

0 Karma

gcusello
Legend

In the first stats between stats and sum
Bye.
Giuseppe

0 Karma

rkaakaty
Path Finder

I don't understand

0 Karma

gcusello
Legend

Hi rkaakaty,
try

 index=nessus cve=*  
 | eval ID=coalesce(id,plugin_id) 
 | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
 | rename cve as CVE, family_name as CATEGORY, risk_factor as SEVERITY
 | stats values(SEVERITY) AS SEVERITY values(CATEGORY) AS CATEGORY sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
 | appendcols 
     [ search index=nessus 
     | rename host-ip as hostip 
     | stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id
     ] 
 | rename Plugin_Name as TITLE
 | eval Systemic_Score = CVSS_SCORE*HOSTS
 | table ID, SEVERITY, TITLE, CATEGORY, CVSS_SCORE, HOSTS, plugin_id, Systemic_Score
 | sort - Systemic_Score

Bye.
Giuseppe

0 Karma

rkaakaty
Path Finder

See now that fixed my category and severity field, but now my HOSTS, Systemic_Score, and plugin_id aren't populating

0 Karma

gcusello
Legend

if these fields are in the nessus index probably there is the same problem, try:

index=nessus cve=*  
| eval ID=coalesce(id,plugin_id) 
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| rename cve as CVE, family_name as CATEGORY, risk_factor as SEVERITY
| stats values(SEVERITY) AS SEVERITY values(CATEGORY) AS CATEGORY 
values(HOSTS) AS HOSTS values(Systemic_Score) AS Systemic_Score values(plugin_id) AS plugin_id sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| appendcols 
      [ search index=nessus 
      | rename host-ip as hostip 
      | stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id
      ] 
| rename Plugin_Name as TITLE
| eval Systemic_Score = CVSS_SCORE*HOSTS
| table ID, SEVERITY, TITLE, CATEGORY, CVSS_SCORE, HOSTS, plugin_id, Systemic_Score
| sort - Systemic_Score

Bye.
Giuseppe

0 Karma

rkaakaty
Path Finder

I still have the same problem... i'm not sure why

0 Karma

gcusello
Legend

if you run your search until the first rename (before first stats), do you have all the wanted fields?

What is the meaning of appendcols?
remeber that (from https://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Appendcols ) "The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on."

What information do you want to add to the first stats results?

Bye.
Giuseppe

0 Karma

sbbadri
Motivator

Does not family_name and risk_factor fields got extracted from events. Are you seeing those two fields in interesting fields section. Also executed below query and it should output some values,

index=nessus cve=* | table family_name risk_factor

if not producing any results. Then extract those two fields.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!