Dashboards & Visualizations

Tenable: How to create break down of patch availability

lball
Explorer

I'm trying to create a search that will provide statistics for patch availability according to our Tenable scans. I'd like to make it all one table, but so far I'm creating separate searches and having trouble getting results. I want to breakdown the results by the patchPubDate value into "Less than 30 days old", 30 to 60 days old", & "over 60 days old". The individual searches that I've been working on so far look like this:

index=tenable | where patchPubDate < relative_time(now(),"-30d@d")
| stats count as "Patch Available less than 30 days"

index=tenable | where patchPubDate = relative_time("-30d@d","-60d@d")
| stats count as "Patch Available 30 to 60 days"

So far, I'm bombing on the second search and I'm not sure how to ensure that I only get patches over 60 days old. The patchPubDate is in epoch time format.

Tags (1)
0 Karma
1 Solution

whrg
Motivator

Hello @lball,

What is the format of the patchPubDate field? Could you post a sample event?

I'm assuming patchPubDate is a string object similar to "2018-10-30". Your search fails because you are comparing a string object ("2018-10-30") to a number (relative_time(...) returns a unix time object which tells how many seconds have passed since 1 January 1970).

What you need to do is convert patchPubDate from a string object to a unix time object using strptime.

Try this:

index=tenable
| eval PatchPubDate_unixtime=strptime(PatchPubDate,"%Y-%m-%d")
| stats count(eval(PatchPubDate_unixtime>relative_time(now(),"-30d@d"))) AS "Patch Available less than 30 days" count(eval(PatchPubDate_unixtime<relative_time(now(),"-30d@d") AND PatchPubDate_unixtime>relative_time(now(),"-60d@d"))) AS "Patch Available 30 to 60 days"

You might need to adapt the time format (I guess YEAR-MONTH-DAY) for the strptime function.

View solution in original post

0 Karma

whrg
Motivator

Hello @lball,

What is the format of the patchPubDate field? Could you post a sample event?

I'm assuming patchPubDate is a string object similar to "2018-10-30". Your search fails because you are comparing a string object ("2018-10-30") to a number (relative_time(...) returns a unix time object which tells how many seconds have passed since 1 January 1970).

What you need to do is convert patchPubDate from a string object to a unix time object using strptime.

Try this:

index=tenable
| eval PatchPubDate_unixtime=strptime(PatchPubDate,"%Y-%m-%d")
| stats count(eval(PatchPubDate_unixtime>relative_time(now(),"-30d@d"))) AS "Patch Available less than 30 days" count(eval(PatchPubDate_unixtime<relative_time(now(),"-30d@d") AND PatchPubDate_unixtime>relative_time(now(),"-60d@d"))) AS "Patch Available 30 to 60 days"

You might need to adapt the time format (I guess YEAR-MONTH-DAY) for the strptime function.

0 Karma

lball
Explorer

I attempted your suggestion without success. The "patchPubDate" is in Epoch Time format.

0 Karma

whrg
Motivator

Then remove the eval line. Also I see I had one mistake that there was a < instead of a >.

Now when I search for

| makeresults count=1 | eval PatchPubDate=1543622400
| stats count(eval(PatchPubDate>relative_time(now(),"-30d@d"))) AS "Patch Available less than 30 days" count(eval(PatchPubDate<relative_time(now(),"-30d@d") AND PatchPubDate>relative_time(now(),"-60d@d"))) AS "Patch Available 30 to 60 days"

then I get:

Patch Available less than 30 days    Patch Available 30 to 60 days
1                                   0

(1543622400 is epoch time for 2018-12-01.)

0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...