I'm working on some formulas to show percentages, right now trying to count % vendors affected by vulnerabilities. The data I am working with is a single JSON file, broken down into each Vulnerability ID. Problem is, if I try to dedup a Vendor that is affected by a particular vulnerability (which are listed as vendor, product, version, inside separate JSON sub-arrays within the vulnerability ID), it still counts the multiple versions, even though I:
index = jsonvuln | dedup id Vendor | top 100 Vendor
returns > 100% for Vendors like Apple and Adobe, which show up multiple times in each Vulnerability ID. So like 236.76% for Adobe.The dedup doesn't seem to work for the array within the event. Is there a command I can use to dedup these Vendors so Splunk only counts it once?