https://community.splunk.com/t5/Splunk-Search/How-to-find-the-number-of-times-a-specific-field-value-has-been/m-p/212570#M62268 <P>It would help if you share a few raw events. Minus that, you could try something like this</P> <PRE><CODE>index=scanresults earliest=-3mon@mon | chart count over host by plugin_name limit=0 </CODE></PRE> Thu, 04 Aug 2016 21:56:20 GMT sundareshr 2016-08-04T21:56:20Z https://community.splunk.com/t5/Splunk-Search/How-to-find-the-number-of-times-a-specific-field-value-has-been/m-p/212569#M62267 <P>I'm trying to find the average time (in weeks) it takes to patch specific network vulnerabilities. I take in data from network scans which include the hostname and the name of the plugin that are vulnerable. The scans run weekly, so if it took a department three weeks to patch a vulnerable plugin, that <EM>"plugin_name=VulnerabilityX"</EM> within <EM>"hostname=0.0.0.0"</EM> should be present three times. Then I could take those numbers of occurrences and use them to find the average number of weeks it takes to patch each plugin_name.</P> <P>There are 100+ hostnames each with however many plugins that I need to do this for. From what I've tried and researched so far it seems like there is no easy way to do this without a huge mess of subsearches. There is a timestamp field included in the events with the field values represented in epoch time, for example <EM>"timestamp=1469561133 "</EM>, which seems like it could be useful, but I haven't found a way yet. </P> <P>Any advice at all on this would be greatly appreciated!</P> Thu, 04 Aug 2016 21:29:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-number-of-times-a-specific-field-value-has-been/m-p/212569#M62267 information_sec 2016-08-04T21:29:49Z https://community.splunk.com/t5/Splunk-Search/How-to-find-the-number-of-times-a-specific-field-value-has-been/m-p/212570#M62268 <P>It would help if you share a few raw events. Minus that, you could try something like this</P> <PRE><CODE>index=scanresults earliest=-3mon@mon | chart count over host by plugin_name limit=0 </CODE></PRE> Thu, 04 Aug 2016 21:56:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-number-of-times-a-specific-field-value-has-been/m-p/212570#M62268 sundareshr 2016-08-04T21:56:20Z https://community.splunk.com/t5/Splunk-Search/How-to-find-the-number-of-times-a-specific-field-value-has-been/m-p/212571#M62269 <P>@sundareshr Here are some examples of the raw data that we get, this is just for one scan as you can see at host_start but you can imagine this would be repeated across scans for every week.</P> <PRE><CODE> {"object_id": 167, "host-ip": “192.168.5.1", "uuid": "91e61c00-97b6-3494-2a5e-354d79a748653191c7652a729bb3", "scanner_name": "Local Scanner", "control": true, "edit_allowed": true, "policy": "Credentialed Patch Audit", "severity": 0, "scan_start": 1469527225, "scanner_end": 1469561107, "plugin_id": 10736, "pci-can-upload": false, "plugin_name": "DCE Services Enumeration", "host_id": 23326, "severity_index": 5, "host-fqdn": “host@domain.com”, "haskb": true, "folder_id": 14, "user_permissions": 128, "host_start": "Tue Jul 26 11:51:28 2016", "vuln_index": 6, "sid": "167", "hostcount": 24429, "scan_type": "local", "count": 9, "targets": “192.168.1.1-192.168.100.255”, "host_end": "Tue Jul 26 11:54:02 2016", "scan_end": 1469561133, "hasaudittrail": true, "plugin_family": "Windows", "status": "completed", "hostname": “hostname@domain.com”, "scanner_start": 1469527225, "timestamp": 1469561133, "name": "Weekly Authenticated Scans"} {"object_id": 167, "host-ip": "192.168.5.1", "uuid": "91e61c00-97b6-3494-2a5e-354d79a748653191c7652a729bb3", "scanner_name": "Local Scanner", "control": true, "edit_allowed": true, "policy": "Credentialed Patch Audit", "severity": 0, "scan_start": 1469527225, "scanner_end": 1469561107, "plugin_id": 10940, "pci-can-upload": false, "plugin_name": "Windows Terminal Services Enabled", "host_id": 23326, "severity_index": 0, "host-fqdn": "host@domain.com", "haskb": true, "folder_id": 14, "user_permissions": 128, "host_start": "Tue Jul 26 11:51:28 2016", "vuln_index": 11, "sid": "167", "hostcount": 24429, "scan_type": "local", "count": 1, "targets": "192.168.1.1-192.168.100.255", "host_end": "Tue Jul 26 11:54:02 2016", "scan_end": 1469561133, "hasaudittrail": true, "plugin_family": "Windows", "status": "completed", "hostname": "hostname@domain.com", "scanner_start": 1469527225, "timestamp": 1469561133, "name": "Weekly Authenticated Scans - OSU Administrative Zones"} </CODE></PRE> Thu, 04 Aug 2016 23:49:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-number-of-times-a-specific-field-value-has-been/m-p/212571#M62269 information_sec 2016-08-04T23:49:13Z https://community.splunk.com/t5/Splunk-Search/How-to-find-the-number-of-times-a-specific-field-value-has-been/m-p/212572#M62270 <P>This should give you number of weeks (assuming once a week scans) a plugin_name occurs (you can adjust the time period you choose to run this search)</P> <PRE><CODE>your base search | stats count by host-ip plugin_name </CODE></PRE> <P>*<STRONG><EM>OR</EM></STRONG>*</P> <PRE><CODE>your base search | eval wknum=strftime(strptime(host_end, "%a %b %d %H:%M:%S %Y"), "%W") | eval host_plugin="host-ip"."##".plugin_name | chart count over host_plugin by wknum | rex field=host_plugin "(?&lt;host&gt;[^#]+)##(?&lt;plugin_name&gt;.*)" | table host plugin_name * | addtotals | fields - host_plugin </CODE></PRE> Fri, 05 Aug 2016 00:49:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-number-of-times-a-specific-field-value-has-been/m-p/212572#M62270 sundareshr 2016-08-05T00:49:09Z