Splunk Search

using eval results of a search with my base search

payton_tayvion
Path Finder

I'm currently trying to use the results of my eval fields in my base search 

For example, I would like for my search to be

index=rapid7 sourcetype=rapid7:nexpose:vuln vuln_age > 30 ratings=high

is there a way that I can do this?

Here's the current  code:

index=rapid7 sourcetype=rapid7:nexpose:vuln
| eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d")
| eval t_date=now()
| eval vuln_age= round((t_date - p_date)/86400)
| eval ratings=case(vulnerability_cvss3_score>0 AND vulnerability_cvss3_score<=3.9, "Low",vulnerability_cvss3_score>3.9 AND vulnerability_cvss3_score<=6.9, "Medium", vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9, "High", vulnerability_cvss3_score > 8.9, "Critical")

 

Labels (3)
0 Karma
1 Solution

payton_tayvion
Path Finder

Thanks everyone I was able to find a solution. The search command did exactly what I was looking for. Thanks for the replies everyone 

View solution in original post

0 Karma

payton_tayvion
Path Finder

Thanks everyone I was able to find a solution. The search command did exactly what I was looking for. Thanks for the replies everyone 

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not possible to use a field before it exists.  You can reformat the query like this:

index=rapid7 sourcetype=rapid7:nexpose:vuln (vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9)
| eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d")
| eval t_date=now()
| eval vuln_age= round((t_date - p_date)/86400)
| eval ratings=case(vulnerability_cvss3_score>0 AND vulnerability_cvss3_score<=3.9, "Low",vulnerability_cvss3_score>3.9 AND vulnerability_cvss3_score<=6.9, "Medium", vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9, "High", vulnerability_cvss3_score > 8.9, "Critical")

or use a macro like this:

index=rapid7 sourcetype=rapid7:nexpose:vuln `high_cvss`
| eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d")
| eval t_date=now()
| eval vuln_age= round((t_date - p_date)/86400)
| eval ratings=case(vulnerability_cvss3_score>0 AND vulnerability_cvss3_score<=3.9, "Low",vulnerability_cvss3_score>3.9 AND vulnerability_cvss3_score<=6.9, "Medium", `high_cvss`, "High", vulnerability_cvss3_score > 8.9, "Critical")

where the macro high_cvss is defined as "(vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9)".

---
If this reply helps you, an upvote would be appreciated.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

maybe this is what you are looking for: https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/definecalcfields

r. Ismo

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!