Splunk Enterprise Security
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- How to add a chart that shows the average vulnerab...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gbhw
New Member
10-01-2019
07:03 AM
Hi,
I created a vulnerability dashboard that looks like this:
VulnerabilityId, Host, Service
123, HostA, Mail
234, HostA, Mail
345, HostB, Mail
123, HostC, HR
234, HostC, HR
Now I want to add a chart that shows a vulnerability index per Service. It should show the average vulnerabilities per host grouped by Service.
- Service Mail got 3 vulnerabilities divided by 2 hosts = 1,5 per host
- Service HR got 2 vulnerabilities divided by 1 host = 2 per host
Any idea how I can achieve this?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jacobpevans
Motivator
10-01-2019
02:08 PM
Greetings @gbhw,
You're looking for the dc (distinct count) stats command. You can read more about stats commands here: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats
This is what you need for your search:
| stats dc(Host) as Host_Count dc(VulnerabilityId) as Vulnerability_Count by Service
| eval Vulnerabilites_Per_Host = Vulnerability_Count / Host_Count
Here's a full run-anywhere search demonstrating this with your sample data:
| makeresults | eval VulnerabilityId="123", Host="HostA", Service="Mail"
| append [ | makeresults | eval VulnerabilityId="234", Host="HostA", Service="Mail" ]
| append [ | makeresults | eval VulnerabilityId="345", Host="HostB", Service="Mail" ]
| append [ | makeresults | eval VulnerabilityId="123", Host="HostC", Service="HR" ]
| append [ | makeresults | eval VulnerabilityId="234", Host="HostC", Service="HR" ]
| stats dc(Host) as Host_Count dc(VulnerabilityId) as Vulnerability_Count by Service
| eval Vulnerabilites_Per_Host = Vulnerability_Count / Host_Count
Cheers,
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jacobpevans
Motivator
10-01-2019
02:08 PM
Greetings @gbhw,
You're looking for the dc (distinct count) stats command. You can read more about stats commands here: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats
This is what you need for your search:
| stats dc(Host) as Host_Count dc(VulnerabilityId) as Vulnerability_Count by Service
| eval Vulnerabilites_Per_Host = Vulnerability_Count / Host_Count
Here's a full run-anywhere search demonstrating this with your sample data:
| makeresults | eval VulnerabilityId="123", Host="HostA", Service="Mail"
| append [ | makeresults | eval VulnerabilityId="234", Host="HostA", Service="Mail" ]
| append [ | makeresults | eval VulnerabilityId="345", Host="HostB", Service="Mail" ]
| append [ | makeresults | eval VulnerabilityId="123", Host="HostC", Service="HR" ]
| append [ | makeresults | eval VulnerabilityId="234", Host="HostC", Service="HR" ]
| stats dc(Host) as Host_Count dc(VulnerabilityId) as Vulnerability_Count by Service
| eval Vulnerabilites_Per_Host = Vulnerability_Count / Host_Count
Cheers,
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Get Updates on the Splunk Community!
How to send events & findings from AWS to Splunk using Amazon EventBridge
Amazon EventBridge is a serverless service that uses events to connect application components together, making ...
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
