topic Re: Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption? in Splunk Search

Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption?

tmaltizo — Wed, 26 Oct 2016 14:16:44 GMT

We're looking to get the average time, given all, devices/laptops that are non-compliant with encryption.

In Forescout, these are the fields for detecting compliancy:
status = compliant, non-compliant
description = "Laptop Encryption is not installed", "Symantec Encryption Running, Activated"

Once, we obtain the average time, we want to monitor any improvement in the form of Encryption posture.

Thanks for any help!
Trista

Re: Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption?

sundareshr — Wed, 26 Oct 2016 14:34:12 GMT

Try this *UPDATED*

 index=forescout sourcetype="fs_encryption_compliance" | stats earliest(eval(if(status="non-compliant", _time, null()))) as noncompliant earliest(eval(if(status="compliant", _time, null()))) as compliant by src_nt_host | where isnotnull(noncompliant) | eval duration=compliant-noncompliant | eventstats max(duration) as max min(duration) as min | stats values(max) as max max(min) as min avg(duration) as avg_duration values(eval(if(max=duration, src_nt_host, "null()))) as max_contrib values(eval(if(min=duration, src_nt_host, "null()))) as min_contrib

Re: Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption?

tmaltizo — Tue, 29 Sep 2020 11:33:51 GMT

Hi @sundareshr. Thanks again for your help in all this.
I modified the search to apply to our data:

index=forescout sourcetype="fs_encryption_compliance" | stats earliest(eval(if(status="non-compliant", _time, null()))) as noncompliant earliest(eval(if(status="compliant", _time, null()))) as compliant by src_nt_host | where isnotnull(noncompliant) | eval duration="non-compliant" | stats avg(duration) as avg_duration by src_nt_host

However, the output is listing src_nt_host (device) and NULL avg_duration numbers. We're actually looking for just one avg number for all of these devices. So, can we simply add the duration numbers from each src_nt_host and then derive the avg from that?

Re: Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption?

sundareshr — Wed, 26 Oct 2016 20:19:11 GMT

Try this...

index=forescout sourcetype="fs_encryption_compliance" | stats earliest(eval(if(status="non-compliant", _time, null()))) as noncompliant earliest(eval(if(status="compliant", _time, null()))) as compliant by src_nt_host | where isnotnull(noncompliant) | eval duration=compliant-noncompliant | stats avg(duration) as avg_duration

Re: Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption?

tmaltizo — Wed, 26 Oct 2016 20:33:40 GMT

ok, is that avg_duration in seconds, minutes, hours, days? The output is coming up as a negative number.... -2819509.457109

Re: Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption?

sundareshr — Wed, 26 Oct 2016 20:39:26 GMT

If duration is negative, make this change eval duration=noncompliant-compliant .

Re: Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption?

tmaltizo — Wed, 26 Oct 2016 20:44:30 GMT

Yes, I noticed that and made that change. So, this duration is in seconds? How would I change it to hours?

Re: Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption?

sundareshr — Wed, 26 Oct 2016 21:18:27 GMT

Add this to the end | eval duration=tostring(duration, "duration") OR if you only want hours, divide by 3600 | eval duration_hrs=round(duration/3600, 0)

Re: Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption?

tmaltizo — Thu, 27 Oct 2016 13:25:37 GMT

This is great @sundareshr! Thank you!

One last thing...how would I derive the lowest and highest duration that is contributing to this avg?

Re: Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption?

sundareshr — Thu, 27 Oct 2016 13:31:06 GMT

See updated answer

Re: Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption?

tmaltizo — Tue, 29 Sep 2020 11:34:09 GMT

Thank you so much for your help @sundareshr!

I'm getting the src_nt_host names for the max and min contributors. How do I obtain the duration time for these two values?

The minimum duration time
The maximum duration time
Avg duration time

Re: Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption?

aaraneta_splunk — Tue, 08 Nov 2016 00:49:01 GMT

@tmaltizo - Did @sundareshr happen to answer your original question? If yes, please click "Accept" to resolve your post. If not, feel free to leave another comment with feedback for him. Thanks!

Re: Forescout: How to calculate the average time of all devices/laptops that are non-compliant with encryption?

tmaltizo — Wed, 30 Nov 2016 19:32:30 GMT

@aaraneta, I just sent a followup comment to him.Thanks!