Splunk Search

Different results between specific date and the whole month

ivan128
Explorer

I'm getting different results in some Nessus searches. The scans are done every 2 weeks. If I search in splunk in the specific date the scan is done(using the time picker), it returns me the results of that day. If I run a search that lists the results per month, the values it returns are totally different. I tried using this search:

index=XXXXX sourcetype="nessus:scan" name= XXXXX earliest= -150d latest=now| dedup host-ip| timechart span=1mon count(host-ip) as "TOTAL HOSTS"|join  [search index=XXXXX sourcetype="nessus:scan" name=XXXX earliest= -150d latest=now  NOT severity=informational | dedup host-ip | timechart span=1mon count(host-ip) as "TOTAL VULNERABLE HOSTS"]

I feel I'm missing something simple but can't see it.

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

I'm guessing the problem here is the subsearch which has several limitations in terms of no of results, execution time etc. Since your base search is same for both you main search and join subsearch, I believe you can condense it in a single search like this
*Fixed typo in eval, was missing ')' *

index=XXXXX sourcetype="nessus:scan" name= XXXXX earliest= -150d latest=now | eval vulnhost=if(severity!="informational",'host-ip',null()) |  timechart span=1mon dc(host-ip) as "TOTAL HOSTS" dc(vulnhost) as "TOTAL VULNERABLE HOSTS"

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

I'm guessing the problem here is the subsearch which has several limitations in terms of no of results, execution time etc. Since your base search is same for both you main search and join subsearch, I believe you can condense it in a single search like this
*Fixed typo in eval, was missing ')' *

index=XXXXX sourcetype="nessus:scan" name= XXXXX earliest= -150d latest=now | eval vulnhost=if(severity!="informational",'host-ip',null()) |  timechart span=1mon dc(host-ip) as "TOTAL HOSTS" dc(vulnhost) as "TOTAL VULNERABLE HOSTS"

ivan128
Explorer

Nice, it works, it needs a closing ) for eval but its correct and I learned something new today! Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...