All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help with time-based search with data from two sources

john_dagostino
Path Finder
‎08-14-2018 05:04 AM

I'm looking to put together some reports on vulnerability data where I can show a trending value of both fixed and active vulns at any given time. Our vulnerability data is separated where we have assets (asset_id) and the last time they were scanned (last_scan_finished) as one sourcetype, and the assets (asset_id), vulnerability (signature_id) and the last time that vuln was detected (most_recently_discovered) as another sourcetype. When a vulnerability is resolved we don't receive any indication in the data, but it will not be detected in future scans.

I'm looking to timechart each combination of asset_id and signature_id, where if the most_recently_discovered field is greater than or equal to the last_scan_finished date it is considered active, otherwise it's resolved. I've made several attempts however haven't been able to come up with a workable solution. Any help would be greatly appreciated.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-14-2018 05:32 AM

It would help if you'd share the search(es) you've tried. Perhaps we'll find your mistake. At least we won't waste time suggesting what you've already done.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

john_dagostino
Path Finder
‎08-14-2018 05:44 AM

This is the closest I've come, after converting to a data model, however it will only give me the status at the time the search is run due to the latest(Nexpose.last_scan_finished). I also added an offset in there so that the most_recently_discovered plus 1 day needs to be less than the last scan.

| tstats count from datamodel=Nexpose_Vulnerability where nodename=Nexpose.Vulnerabilities by Nexpose.asset_id Nexpose.signature_id Nexpose.most_recently_discovered
| join type=outer Nexpose.asset_id [| tstats latest(Nexpose.last_scan_finished) AS last_scan_finished from datamodel=Nexpose_Vulnerability where nodename=Nexpose.Assets by Nexpose.asset_id]
| rename Nexpose.* AS *
| eval most_recent_epoch=strptime(most_recently_discovered,"%Y-%m-%d %H:%M:%S") , last_scan_epoch=strptime(last_scan_finished,"%Y-%m-%d %H:%M:%S"), most_recent_plus_24=most_recent_epoch+86400
| convert ctime(most_recent_plus_24) AS vuln_last_seen_plus24, ctime(last_scan_epoch) AS last_scan
| eval status=if(most_recent_plus_24

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...