Reporting

How do I track changes to a dataset?

capilarity
Path Finder

We get a weekly ingest of a data set for our vulnerability management. Each line contains a unique value matching a vulnerability with a server

I want to be able to report on:

a. how many new vulnerabilities are in this weeks report compared to last week and

b. how many vulnerabilities have been fixed (so are not reported) in this weeks list compared to last week

I'm looking for splunk to tell me whats new and whats missing week by week but also track these over the long term. 

Cant seem to get any meaningful results with a 'set diff' search

 

Any help gratefully received!!

Labels (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

your base search for getting vulnerability data for each host, set time range to last two weeks OR 14 days
| eval period=if(_time>=relative_time(now(),"-7d@d"),"This_Week","Last_Week")
| stats values(period) as periods,..any other fields... by host vulnerability_id
| eval remarks=case(mvcount(periods)=2,"Repeat Vulnerability",periods="This_Week","New Vulnerability", true(),"Fixed Vulnerability")
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...