Splunk Search

Why is my search not returning any results?

rkaakaty
Path Finder

Can anyone tell me why I am not returning any results?

index=nessus cve=*
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) by ID 
| rename id as ID, cve as CVE, plugin_name as Plugin_Name, count(host-ip) as HOSTS
| table ID, Plugin_Name, CVSS_SCORE, HOSTS
| sort - CVSS_SCORE

Thank you.

0 Karma
1 Solution

cmerriman
Super Champion

you need to include CVSS_SCORE in your stats command, you are not allowed to table it without bringing it forward. you can also rename your count(host-ip) in your stats command.

index=nessus cve=*
 | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score| rename id as ID, cve as CVE 
 | stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) as HOSTS sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID 
 | table ID, Plugin_Name, CVSS_SCORE, HOSTS
 | sort - CVSS_SCORE

View solution in original post

Grumpalot
Communicator

I think I see what the problem is; you have two searches that need to take place to match on ID from Plugin and plugin_ID from the scans. Give this search a try, it may take a bit longer. I'm going to use some of @cmerriman 's written code hope you don't mind.

index=nessus cve=*  
| eval ID=coalesce(id,plugin_id) 
| eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
| rename cve as CVE
| stats sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID
| appendcols [search index=nessus 
| rename host-ip as hostip 
| stats list(hostip) as hostips, list(IP) as IP, count(hostip) as HOSTS by plugin_id] 
| table ID, Plugin_Name, CVSS_SCORE, HOSTS 
| sort - CVSS_SCORE
0 Karma

Grumpalot
Communicator

Give this a try made a change to by ID since it seems to be id then you rename to ID

 index=nessus cve=*
 | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score
 | stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) by id 
 | rename id as ID, cve as CVE, plugin_name as Plugin_Name, count(host-ip) as HOSTS
 | table ID, Plugin_Name, CVSS_SCORE, HOSTS
 | sort - CVSS_SCORE

cmerriman
Super Champion

you need to include CVSS_SCORE in your stats command, you are not allowed to table it without bringing it forward. you can also rename your count(host-ip) in your stats command.

index=nessus cve=*
 | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score| rename id as ID, cve as CVE 
 | stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) as HOSTS sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID 
 | table ID, Plugin_Name, CVSS_SCORE, HOSTS
 | sort - CVSS_SCORE

View solution in original post

rkaakaty
Path Finder

Thank you,

Now i've run into a problem of only getting 0's as my HOSTS

0 Karma

cmerriman
Super Champion

try this removing the two list commands or renaming the list(host-ip) as host-ip to list(host-ip) as host-ips to see if that works. you're counting host-ip after putting it into a list and naming it that field name.

0 Karma

rkaakaty
Path Finder

Still the same result 😕

0 Karma

cmerriman
Super Champion

one other thing to try:

 index=nessus cve=*
  | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score| rename id as ID, cve as CVE "host-ip" as hostip
  | stats list(hostip) as hostips, list(IP) as IP count(hostip) as HOSTS sum(CVSS_SCORE) as CVSS_SCORE values(plugin_name) as Plugin_Name by ID 
  | table ID, Plugin_Name, CVSS_SCORE, HOSTS
  | sort - CVSS_SCORE
0 Karma

rkaakaty
Path Finder

Unfortunately I am still getting 0 values for HOSTS

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!