Hi,
I am using DBConnect to connect to a DB export from Qualys
This export shows the results of a scan to determine if autoplay is disabled
I want to create a % machines that are compliant - the table has
ID | HOST_ID | CONTROL_ID | STATUS
when using the below search it shows me 0 results in passed and the total machine number is 575 (passed & failed)
| dbquery "DB_NAME" "SELECT * FROM SANS0503" | stats count(eval(STATUS=Passed)) as Passed count as total
If I perform | dbquery "DB_NAME" "SELECT * FROM SANS0503" | search STATUS=Passed I get the result of 551 (which is great) but I do not understand why I am getting 0?
thanks
Have you tried ...| stats count(eval(STATUS="Passed")) ...
?
Have you tried ...| stats count(eval(STATUS="Passed")) ...
?
Hi Rich,
that worked perfectly - thank you so much!
Sorry to be annoying but why does it require ""
a very similar search
stats count(eval(FAILED<1)) as success count as total | eval Compliant %=success/total*100
Works perfectly without?
thanks
You're welcome.
In eval(STATUS=Passed)
Splunk is comparing the field STATUS to the field Passed.
in eval(STATUS="Passed")
Splunk is comparing the field STATUS to the string "Passed".
in eval(FAILED<1)
Splunk is comparing the field FAILED to the number 1.
Yes, it's a little inconsistent with the search
command that accepts strings without quotes.
Thanks again Rich
It's just I am trying work out where I am going wrong, to avoid posting to many community questions 🙂