topic multivalue field - missing a week in Splunk Search

multivalue field - missing a week

omcollia — Wed, 22 Jan 2025 14:29:32 GMT

I have a multivalue field called weeksum that contains the following values

2024:47 2024:48 2024:49 2024:50 2024:51 2024:52 2025:01 2025:02 2025:03

In this case, from the first to the last week, there are no missing weeks. I would like to create a field that identifies if there are any missing weeks in the sequence.

For example, if week 2024:51 is missing, the field should indicate that there is a gap in the sequence.

Please note that the weeksum multivalue field already consists of pre-converted values, so converting them back to epoch (using something like | eval week = strftime(_time, "%Y:%U")) does not work.

Re: multivalue field - missing a week

gcusello — Wed, 22 Jan 2025 14:43:25 GMT

Hi @omcollia ,

you could use the delta command to check if the difference between one value and the following is 1, something like this:

in this way, if the search will have results there's some error.

Ciao.

Giuseppe

Re: multivalue field - missing a week

PickleRick — Wed, 22 Jan 2025 14:44:46 GMT

Border case question (I like those) - how do you know how many weeks a year has? As silly as it sounds - depending on a particular year and how you're counting a year can have between 52 and 54 weeks.

Re: multivalue field - missing a week

omcollia — Wed, 22 Jan 2025 15:17:52 GMT

Here’s the translation of your text into English:

"If I run this command:

| eval year=substr(weeksum,1,4)

the field remains empty, maybe because my field weeksum comes from an eventstats command: | eventstats values(week) as weeksum by IP,dest_ip,plugin_id

and maybe the multivalue field is in a format that's not readable?"

Re: multivalue field - missing a week

gcusello — Wed, 22 Jan 2025 15:20:23 GMT

Hi @omcollia ,

I suppose that your inserted the weeksum extraction with eventstat before the eval.

Ciao.

Giuseppe

Re: multivalue field - missing a week

omcollia — Wed, 22 Jan 2025 15:38:02 GMT

I will explain my issue from the beginning to make it clearer.

I have an index that contains vulnerabilities related to an IP, and on Splunk, I receive VA data every week. I would like to check based on my IP and vulnerabilities for different cases:

Which vulnerabilities are new, i.e., those VA that appear only in the current week.
Which vulnerabilities have reappeared in a week after being absent (I think I should check when a VA is missing for a week and then reappears, perhaps by looking at when the time between results is greater than 7 days).
When a vulnerability has disappeared, i.e., when the last week in which we had that VA is not the same as the current one.**

Re: multivalue field - missing a week

omcollia — Wed, 22 Jan 2025 15:39:02 GMT

Perhaps I just need to check when more than 7 days have passed between one VA and the next.

Re: multivalue field - missing a week

gcusello — Wed, 22 Jan 2025 16:27:49 GMT

Hi @omcollia ,

ok, you need a completely different thing!

you should run a search to understand if a vulnerability is present in more weeks, so, if vulnerabilities are contained in a fied called vulnerability, you could run something like this:

<your_search> | eval weeksum=strftime(_time,"%Y:%V") | stats dc(weeksum) AS weeksum_count values(weeksum) AS weeksum BY vulnerabilities | eval present_weeksum=strftime(now(),"%Y:%V") | eval status=case( weeksum_count=1 AND weeksum=present_weeksum,"Present in Last Week", weeksum_count=1 AND NOT weeksum=present_weeksum,"Present in Week: ".weeksum, weeksum_count>1,"Present in More Weeks")

you can customize this search using the field you have for vulnerabilities and the additional conditions for status following my approach.

Ciao.

Giuseppe