This is the eval statement i am using along with case but getting error.
eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0)
Ughh, My bad! i copied the search from the earlier dashboard's source XML and pasted into search box, this '>' sign was and is present as ';' in the dashboard xml , that is why it was giving error. Otherwise the eval statement is correct.
Ughh, My bad! i copied the search from the earlier dashboard's source XML and pasted into search box, this '>' sign was and is present as ';' in the dashboard xml , that is why it was giving error. Otherwise the eval statement is correct.
Click Accept
on your answer here to close the question.
You must ensure that all fields based on severity
( critical
, high
, etc. ) are all numbers or you will get an error, so try this:
index=nessus sourcetype=nessus:scan (severity = "critical" OR severity = "high" OR severity = "medium" OR severity = "low" OR severity = "informational")
| stats dc(signature) as vuln_count count by severity,dest
| chart useother=`useother` first(vuln_count) over dest by severity
| foreach critical high medium low informational
[ rex field=<<FIELD>> mode=sed "s/[\r\n\s]//g" | eval <<FIELD>>=tonumber(<<FIELD>>) ]
| eval total=case(
critical>0 AND high>0, critical+high,
critical>0, critical,
high>0, high,
true(), 0)
| eval subTotal=case(
medium>0 AND low>0, medium+low,
medium>0, medium,
low>0, low,
true(), 0)
| eval subSubTotal=case(
informational>0 AND unknown>0, informational+unknown,
informational>0, informational,
unknown>0, unknown,
true(), 0)
@xpac, No i checked for all brackets, all is perfect.
Here is the full query,
index=nessus sourcetype=nessus:scan (severity = "critical" OR severity = "high" OR severity = "medium" OR severity = "low" OR severity = "informational")
| stats dc(signature) as vuln_count count by severity,dest
| chart useother=useother
first(vuln_count) over dest by severity
| eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0)
| eval subTotal=case(medium>0 AND low>0,medium+low,medium>0,medium,low>0,low,1==1,0)
| eval subSubTotal=case(informational>0 AND unknown>0,informational+unknown,informational>0,informational,unknown>0,unknown,1==1,0)
I am getting error for all the eval statements here @woodcock
I still do not get any errors.
Do you have logs from nessus? If so , can you kindly share the results?, don't know why i am getting that error?
I just put that search into my Splunk, and it is perfectly valid.
The only thing that I had to remove is the useother=´useother´
part - because I don't have that macro.
Just in case, can you post the content of that macro?
'useother'=true
That's it.
It does not give an error for me.
Do you have any other (
or )
in the rest of your query?