Hi all, I have the following search that calculates a risk value based on a formula:
index=EX sourcetype=EX | dedup host-ip, plugin_name, plugin_family, severity, "ports{}.port", "ports{}.transport" | eval vulhost=if (severity="critical" or severity="high" or severity="medium" or severity="low",'host-ip',null()) | bucket _time | stats dc(host-ip) as TH, dc(vulhost) as VH, first(date_month) as ETime, count(eval(severity="critical")) as VH1, count(eval(severity="high")) as VH2, count(eval(severity="medium")) as VH3, count(eval(severity="low")) as VH4, count by _time | fillnull critical, high,medium,low,VH1,VH2,VH3,VH4 | eval RiskValueL=round((VH1+0.75*VH2+0.5*VH3+0.1*VH4)/(VH1+VH2+VH3+VH4)*(VH/TH),5)
The end result is a value on RiskValueL that is a fraction, which I assumed it was considered as numeric value, however when I tried to visualize it with the Single Value it showed other value for the visualization. Just in case I tried to use |convert num(RiskValueL) in case this value was considered something else but it does not work, it showed a 0 in the single value visualization. I also isolated the value with |table RiskValueL so the statistics tab would show only the RiskValueL in case Splunk was picking up other value for the visualization (as I suspected it was doing due to the visualization output) but it presents a 0 in the visualization tab.
Any ideas on why this is happening or if I'm doing something wrong here?
Thanks in advance.
... View more