Hello,
I'm quite new to splunk, and probably this can be done more efficiently. I have a search that uses Nessus reports to show a table with the vulnerabilities classified by severity, I need to apply a custom formula to assign a risk score that also uses the total amount of scanned hosts and how many are vulnerable. There are two separate searches that obtain the vulnerable and total hosts and I tried to use a Join command.
This is the formula I wrote for the risk score:
index=XXXX sourcetype="nessus:scan" name="XXXXXX" NOT severity=informational| dedup plugin_family plugin_name host-ip ports{}.port ports{}.protocol ports{}.transport | chart count over plugin_family by severity |rename critical as Critical, high as High, medium as Medium, low as Low, plugin_family as Name | stats sum(*) as * | join userhandle [search index=XXXX sourcetype="nessus:scan" name=XXXXX NOT severity=informational | dedup host-ip | chart count as "Vuln hosts"| stats list(Vuln hosts) as VH] | join userhandle [search index=XXXXXX sourcetype="nessus:scan" name=XXXXX | dedup host-ip | chart count as "Total hosts" | stats list(Total hosts) as TH]| fillnull Critical, High |eval Name="XXXXX" | eval RiskValue=/Risk value formula/ | fields Name, Critical, High, Medium, Low, RiskValue
It works, but its quite long and as a new assignment I need to be able to generate a histogram of Risk value for the past 6 months. Using append
and specifying the dates ( earliest -6mon
and so forth) returns incorrect data and the search itself becomes quite big and I feel this can bring performance issues in Splunk if we are to display the histogram on a dashboard. I need guidance on how to improve this search and display the histogram.
Thanks in advance.