Splunk Search

using eval results of a search with my base search

payton_tayvion
Path Finder

I'm currently trying to use the results of my eval fields in my base search 

For example, I would like for my search to be

index=rapid7 sourcetype=rapid7:nexpose:vuln vuln_age > 30 ratings=high

is there a way that I can do this?

Here's the current  code:

index=rapid7 sourcetype=rapid7:nexpose:vuln
| eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d")
| eval t_date=now()
| eval vuln_age= round((t_date - p_date)/86400)
| eval ratings=case(vulnerability_cvss3_score>0 AND vulnerability_cvss3_score<=3.9, "Low",vulnerability_cvss3_score>3.9 AND vulnerability_cvss3_score<=6.9, "Medium", vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9, "High", vulnerability_cvss3_score > 8.9, "Critical")

 

Labels (3)
0 Karma
1 Solution

payton_tayvion
Path Finder

Thanks everyone I was able to find a solution. The search command did exactly what I was looking for. Thanks for the replies everyone 

View solution in original post

0 Karma

payton_tayvion
Path Finder

Thanks everyone I was able to find a solution. The search command did exactly what I was looking for. Thanks for the replies everyone 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not possible to use a field before it exists.  You can reformat the query like this:

index=rapid7 sourcetype=rapid7:nexpose:vuln (vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9)
| eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d")
| eval t_date=now()
| eval vuln_age= round((t_date - p_date)/86400)
| eval ratings=case(vulnerability_cvss3_score>0 AND vulnerability_cvss3_score<=3.9, "Low",vulnerability_cvss3_score>3.9 AND vulnerability_cvss3_score<=6.9, "Medium", vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9, "High", vulnerability_cvss3_score > 8.9, "Critical")

or use a macro like this:

index=rapid7 sourcetype=rapid7:nexpose:vuln `high_cvss`
| eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d")
| eval t_date=now()
| eval vuln_age= round((t_date - p_date)/86400)
| eval ratings=case(vulnerability_cvss3_score>0 AND vulnerability_cvss3_score<=3.9, "Low",vulnerability_cvss3_score>3.9 AND vulnerability_cvss3_score<=6.9, "Medium", `high_cvss`, "High", vulnerability_cvss3_score > 8.9, "Critical")

where the macro high_cvss is defined as "(vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9)".

---
If this reply helps you, Karma would be appreciated.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

maybe this is what you are looking for: https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/definecalcfields

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...