Hi all - this one is hurting my brain. I need to pull two distinct numbers from my events: one with a total count of assets, and one with a total count of assets that contain a vulnerability.
What I think it should look like is not working:
| (stats dc(AssetNames) AS TotalExternalAssets, (dc(Asset_Names) AS TotalExposedAssets | where vulnerability!="missing"))
How do I get these two counts out of my events?
That command is not a valid Splunk command
What you probably want is
| stats dc(AssetNames) AS TotalExternalAssets
dc(eval(if(vulnerability!="missing", AssetNames, null()))) AS TotalExposedAssets
I assume the AssetNames field is the same field (not Asset_Names in the second case)
This takes the count of unique assets (first dc()) and the second says
That command is not a valid Splunk command
What you probably want is
| stats dc(AssetNames) AS TotalExternalAssets
dc(eval(if(vulnerability!="missing", AssetNames, null()))) AS TotalExposedAssets
I assume the AssetNames field is the same field (not Asset_Names in the second case)
This takes the count of unique assets (first dc()) and the second says