I'm currently trying to use the results of my eval fields in my base search
For example, I would like for my search to be
index=rapid7 sourcetype=rapid7:nexpose:vuln vuln_age > 30 ratings=high
is there a way that I can do this?
Here's the current code:
index=rapid7 sourcetype=rapid7:nexpose:vuln
| eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d")
| eval t_date=now()
| eval vuln_age= round((t_date - p_date)/86400)
| eval ratings=case(vulnerability_cvss3_score>0 AND vulnerability_cvss3_score<=3.9, "Low",vulnerability_cvss3_score>3.9 AND vulnerability_cvss3_score<=6.9, "Medium", vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9, "High", vulnerability_cvss3_score > 8.9, "Critical")
Thanks everyone I was able to find a solution. The search command did exactly what I was looking for. Thanks for the replies everyone
Thanks everyone I was able to find a solution. The search command did exactly what I was looking for. Thanks for the replies everyone
It's not possible to use a field before it exists. You can reformat the query like this:
index=rapid7 sourcetype=rapid7:nexpose:vuln (vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9)
| eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d")
| eval t_date=now()
| eval vuln_age= round((t_date - p_date)/86400)
| eval ratings=case(vulnerability_cvss3_score>0 AND vulnerability_cvss3_score<=3.9, "Low",vulnerability_cvss3_score>3.9 AND vulnerability_cvss3_score<=6.9, "Medium", vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9, "High", vulnerability_cvss3_score > 8.9, "Critical")
or use a macro like this:
index=rapid7 sourcetype=rapid7:nexpose:vuln `high_cvss`
| eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d")
| eval t_date=now()
| eval vuln_age= round((t_date - p_date)/86400)
| eval ratings=case(vulnerability_cvss3_score>0 AND vulnerability_cvss3_score<=3.9, "Low",vulnerability_cvss3_score>3.9 AND vulnerability_cvss3_score<=6.9, "Medium", `high_cvss`, "High", vulnerability_cvss3_score > 8.9, "Critical")
where the macro high_cvss is defined as "(vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9)".
Hi
maybe this is what you are looking for: https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/definecalcfields
r. Ismo