topic How to edit my search to get a count of FieldA per FieldB and per FieldC where the number of FieldB is greater than 3? in Splunk Search

How to edit my search to get a count of FieldA per FieldB and per FieldC where the number of FieldB is greater than 3?

antifreke — Mon, 10 Aug 2015 18:07:10 GMT

Good afternoon and happy monday!

I'm working on trying to figure out a way to do the following :
Count of vulnerabilities per eventKey, per Application where the number of eventKeys is greater than 3.

Basically, if a certain app has assessments performed more than 3 times and one of the vuln results is not 0, then we want to flag them as a security risk.

What I have so far, which isn't working:

search appname="*" eventtype="Complete" | dedup CompltdDate | stats dc(eventKey) by appname |  eval vuln_count=+Vulnerabilities+" Outstanding Vulnerabilities - - - "+eventKey | stats values(vuln_count) AS Total_Vuln by appname APS_UAID | eval unique_vulns=mvcount(vuln_count) | sort = -unique_vuln

Re: How to edit my search to get a count of FieldA per FieldB and per FieldC where the number of FieldB is greater than 3?

somesoni2 — Mon, 10 Aug 2015 21:34:04 GMT

Give this a try

search appname="*" eventtype="Complete" | dedup CompltdDate | stats count(Vulnerabilities) as Vulnerabilities by eventKey appname | eventstats dc(eventKey) as eventKeysCount by appname | where eventKeysCount>3

Based on your current query, it's difficult to find out what all fields are available and useful for your requirement. Please provide what all fields are available in all events and define their values for better answer.

Re: How to edit my search to get a count of FieldA per FieldB and per FieldC where the number of FieldB is greater than 3?

antifreke — Tue, 29 Sep 2020 06:58:23 GMT

Here's what I have for the table, and what the data looks like

I would like to organize this like-

| stats count by appname APS_UAID Vulnerabilities eventKey | eval vuln_count=+Vulnerabilities+" Outstanding Vulnerabilities - - - "+eventKey | stats values(vuln_count) AS "Total Vulnerabilties per Assessment ID" by appname APS_UAID | eval unique_vulns=mvcount(vuln_count) | sort by eventKey, appname

That query will do that part of it, but it will show all of them. I need to only show more than 3 assessments where none of them = 0.

If there are more than 3 scans completed per App and they are still vulnerabilities. This is how we plan to keep application owners accountable for patching and securing their internet facing applications.