- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- How to add a chart that shows the average vulnerab...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I created a vulnerability dashboard that looks like this:
VulnerabilityId, Host, Service
123, HostA, Mail
234, HostA, Mail
345, HostB, Mail
123, HostC, HR
234, HostC, HR
Now I want to add a chart that shows a vulnerability index per Service. It should show the average vulnerabilities per host grouped by Service.
- Service Mail got 3 vulnerabilities divided by 2 hosts = 1,5 per host
- Service HR got 2 vulnerabilities divided by 1 host = 2 per host
Any idea how I can achieve this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings @gbhw,
You're looking for the dc (distinct count) stats command. You can read more about stats commands here: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats
This is what you need for your search:
| stats dc(Host) as Host_Count dc(VulnerabilityId) as Vulnerability_Count by Service
| eval Vulnerabilites_Per_Host = Vulnerability_Count / Host_Count
Here's a full run-anywhere search demonstrating this with your sample data:
| makeresults | eval VulnerabilityId="123", Host="HostA", Service="Mail"
| append [ | makeresults | eval VulnerabilityId="234", Host="HostA", Service="Mail" ]
| append [ | makeresults | eval VulnerabilityId="345", Host="HostB", Service="Mail" ]
| append [ | makeresults | eval VulnerabilityId="123", Host="HostC", Service="HR" ]
| append [ | makeresults | eval VulnerabilityId="234", Host="HostC", Service="HR" ]
| stats dc(Host) as Host_Count dc(VulnerabilityId) as Vulnerability_Count by Service
| eval Vulnerabilites_Per_Host = Vulnerability_Count / Host_Count
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings @gbhw,
You're looking for the dc (distinct count) stats command. You can read more about stats commands here: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats
This is what you need for your search:
| stats dc(Host) as Host_Count dc(VulnerabilityId) as Vulnerability_Count by Service
| eval Vulnerabilites_Per_Host = Vulnerability_Count / Host_Count
Here's a full run-anywhere search demonstrating this with your sample data:
| makeresults | eval VulnerabilityId="123", Host="HostA", Service="Mail"
| append [ | makeresults | eval VulnerabilityId="234", Host="HostA", Service="Mail" ]
| append [ | makeresults | eval VulnerabilityId="345", Host="HostB", Service="Mail" ]
| append [ | makeresults | eval VulnerabilityId="123", Host="HostC", Service="HR" ]
| append [ | makeresults | eval VulnerabilityId="234", Host="HostC", Service="HR" ]
| stats dc(Host) as Host_Count dc(VulnerabilityId) as Vulnerability_Count by Service
| eval Vulnerabilites_Per_Host = Vulnerability_Count / Host_Count
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
