issue with eval

Question

Hello,

I'm trying to do an arithmetic operation between 2 values i get with a stats function. I want to divide the number of cvss by the number of hosts. Here is my serach.

sourcetype=nessus N_cvss>9 N_dnt=0 | rex "(?i)^(?:[^\t]*\t){2}(?P<host>[^\t]+)" | rex "(?i)^(?:[^\t]*\t){10}(?P<cvss>[^\t]+)" | stats dc(host) as nb_host | stats c(cvss) as nb_cvss | eval cvss_host=nb_cvss/nb_host

My values are correctly affected to fields nb_cvss and nb_host but when i use the eval function i have no result. I also tried the "eventstats" in place of "stats" but the result is the same.

How could i get the result i want ?

Answer 1

0

I don't really know if it affects the results, but you do not need two stats commands. Does this produce the desired result?

sourcetype=nessus N_cvss>9 N_dnt=0 | rex "(?i)^(?:[^\t]*\t){2}(?P<host>[^\t]+)" | rex "(?i)^(?:[^\t]*\t){10}(?P<cvss>[^\t]+)" | stats dc(host) as nb_host c(cvss) as nb_cvss | eval cvss_host=nb_cvss/nb_host

/k

link

answered 03 Feb, 05:34

kristian.kolb
3.4k●2●10
accept rate: 30%

You resolved my issue, only one stats function is needed, thanks :)

(03 Feb, 05:38) rbw78

Answer 2

Well, something is wrong in my search.

I have the values nb_cvss and nb_cvss with also cvss_host in my final result. I only want cvss_host in my final result for doing a chart on the which one i can his evolution of it for each months.

So i'm trying to use timechart but it doesn't work.

sourcetype=nessus N_cvss>9 N_dnt=0 | rex "(?i)^(?:[^\t]*\t){2}(?P<host>[^\t]+)" | rex "(?i)^(?:[^\t]*\t){10}(?P<cvss>[^\t]+)" | timechart span=1m eval(c(cvss) / dc(host))

it says my eval expression must be renamed but i don't know why, it should works ...

issue with eval

Follow this question

Splunk Resources

Related questions