issue with eval

rbw78 · ‎02-03-2012

Hello,

I'm trying to do an arithmetic operation between 2 values i get with a stats function.
I want to divide the number of cvss by the number of hosts.
Here is my serach.

sourcetype=nessus N_cvss>9 N_dnt=0 | rex "(?i)^(?:[^\t]*\t){2}(?P<host>[^\t]+)" | rex "(?i)^(?:[^\t]*\t){10}(?P<cvss>[^\t]+)" | stats dc(host) as nb_host | stats c(cvss) as nb_cvss | eval cvss_host=nb_cvss/nb_host

My values are correctly affected to fields nb_cvss and nb_host but when i use the eval function i have no result.
I also tried the "eventstats" in place of "stats" but the result is the same.

How could i get the result i want ?

rbw78 · ‎02-03-2012

Well, something is wrong in my search.

I have the values nb_cvss and nb_cvss with also cvss_host in my final result.
I only want cvss_host in my final result for doing a chart on the which one i can his evolution of it for each months.

So i'm trying to use timechart but it doesn't work.

sourcetype=nessus N_cvss>9 N_dnt=0 | rex "(?i)^(?:[^\t]*\t){2}(?P<host>[^\t]+)" | rex "(?i)^(?:[^\t]*\t){10}(?P<cvss>[^\t]+)" | timechart span=1m eval(c(cvss) / dc(host))

it says my eval expression must be renamed but i don't know why, it should works ...

kristian_kolb · ‎02-03-2012

I don't really know if it affects the results, but you do not need two stats commands.
Does this produce the desired result?

sourcetype=nessus N_cvss>9 N_dnt=0 | rex "(?i)^(?:[^\t]*\t){2}(?P<host>[^\t]+)" | rex "(?i)^(?:[^\t]*\t){10}(?P<cvss>[^\t]+)" | stats dc(host) as nb_host c(cvss) as nb_cvss | eval cvss_host=nb_cvss/nb_host

/k

rbw78 · ‎02-03-2012

You resolved my issue, only one stats function is needed, thanks 🙂

issue with eval

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!