Splunk Search

expanding variables as part of a query

gamedazed
New Member

Background:
I'm working on a form that associates Qualys vulnerability IDs with CVE IDs. I'm leveraging two lookup tables, one Qualys ID centric, the other CVE ID  centric. It's in a 3 panel form with only one initially visible. If a CVE is clicked in the initial panel, the additional two panels become visible; because there is often a series of CVE IDs associated with a single QID, one panel returns results for the clicked CVE and the other panel returns results for all CVEs in that QID.

Initial Pane:

 

 

| inputlookup qid-cve.csv | fillnull | search TITLE="$title$" QID=$qid$ CVE=*$cve$* VENDOR_REFERENCE=$vr$ CATEGORY=$category$ | makemv delim=", " CVE

 

 

 

Drilldown Pane 1:

 

 

| inputlookup cve-details.csv | rename Name as CVE | table CVE Description References Votes Comments | search CVE=$form.cve$

 

 

 

And the Pane of Problems:

 

 

| inputlookup cve-details.csv | rename Name as CVE | table CVE Description References Votes Comments filter | eval filter="$cve_list$" | eval filter=replace(filter, "(CVE\-\d{4}\-\d+)\,?", " OR CVE=\"\1\"") | eval filter=replace(filter, "^ OR ", "") | where CVE=filter

 

 



What I'm looking for:
Take a comma separated field containing all of the CVEs in a QID and join them together with an
" OR CVE=\"$_\""'
and directly interpret that as spl passed to a where command
Note that CVE's contain heiphens, so in a where that'll make the string be interpretted as subtraction eval when unquoted, so quoting the CVEs is definitely part of the solution.

Here's an example of what I need the spl to look like

 

 

 

| inputlookup "cve-details.csv" | rename Name as CVE | table CVE, Description, Refreences, Votes, Comments | where CVE="CVE-2020-13543" OR CVE="CVE-2021-13543" OR CVE="CVE-2020-13584" OR CVE="CVE-2021-13584" OR CVE="CVE-2020-9948" OR CVE="CVE-2021-9948" OR CVE="CVE-2020-9951" OR CVE="CVE-2021-9951" OR CVE="CVE-2020-9983" OR CVE="CVE-2021-9983"

 

 

 

where the variable being expanded holds the string:

 

 

 

"CVE-2020-13543" OR CVE="CVE-2021-13543" OR CVE="CVE-2020-13584" OR CVE="CVE-2021-13584" OR CVE="CVE-2020-9948" OR CVE="CVE-2021-9948" OR CVE="CVE-2020-9951" OR CVE="CVE-2021-9951" OR CVE="CVE-2020-9983" OR CVE="CVE-2021-9983"

 

 

 


Problem:
That final panel, the one that returns data for all CVEs in a QID, is proving quite difficult.
My query looks like this:

 

 

| inputlookup cve-details.csv | rename Name as CVE | table CVE Description References Votes Comments | eval filter=replace("$cve_list$", "(CVE\-\d{4}\-\d+)\,?", " OR CVE=\"\1\"") | eval filter=replace(filter, "^ OR CVE=", "") | where CVE=filter

 

 

The query looks like this once it's optimized:

 

 

| inputlookup "cve-details.csv" | rename Name as CVE | table CVE, Description, References, Votes, Comments, filter | eval filter=" OR CVE=\"CVE-2021-3587\" OR CVE=\"CVE-2021-3573\" OR CVE=\"CVE-2021-3564\" OR CVE=\"CVE-2021-3506\" OR CVE=\"CVE-2021-3483\" OR CVE=\"CVE-2021-33034\" OR CVE=\"CVE-2021-32399\" OR CVE=\"CVE-2021-31916\" OR CVE=\"CVE-2021-31829\" OR CVE=\"CVE-2021-29650\" OR CVE=\"CVE-2021-29647\" OR CVE=\"CVE-2021-29264\" OR CVE=\"CVE-2021-29155\" OR CVE=\"CVE-2021-29154\" OR CVE=\"CVE-2021-28971\" OR CVE=\"CVE-2021-28964\" OR CVE=\"CVE-2021-28688\" OR CVE=\"CVE-2021-26930\" OR CVE=\"CVE-2021-23134\" OR CVE=\"CVE-2021-23133\" OR CVE=\"CVE-2021-0129\" OR CVE=\"CVE-2020-29374\" OR CVE=\"CVE-2020-26558\" OR CVE=\"CVE-2020-26147\" OR CVE=\"CVE-2020-26139\" OR CVE=\"CVE-2020-25672\" OR CVE=\"CVE-2020-25671\" OR CVE=\"CVE-2020-25670\" OR CVE=\"CVE-2020-24588\" OR CVE=\"CVE-2020-24587\" OR CVE=\"CVE-2020-24586\"", filter=replace(filter,"^ OR CVE=","") | where (CVE == filter)

 

 


How can I convince where to stop looking at filter as a string literal? I've even added it to my table results before so it would have a better chance of looking at it as a field.  That did not work, naturally.

Labels (4)
0 Karma

gamedazed
New Member

two points of clarification:
These tokens assignments are based on the first panel's drilldown:
<set token="form.cve">$click.value2$</set>
<set token="show_cve_details">$click.name2$</set>
<set token="cve_list">$row.CVE$</set>

I think show_cve_details isn't in use right now, but worth noting that cve_list is the full list of CVEs in a QID and it does not seem to keep the makemv's multi-value return. Other than that,  I think one of my queries was from a tab I was still editing in and had a replace of " OR ", but no "CVE=" - I don't see it right now but I thought I saw it just a second ago. 

Also, apologies for the terrible formatting, first time using this forum. Thanks in advance for the help, guys.


0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...