Splunk Enterprise Security

[PCI] Could you please elobrate logic for display of Compliance Status History view for security Posture

Splunk Employee
Splunk Employee

The issue is for the “PCI Compliance Posture” dashboard the View “Compliance Status History” is not showing data.  It just displays. It just displayed line


Labels (1)
0 Karma

Splunk Employee
Splunk Employee

The view is based on search


index="pci_posture_summary" search_name="PCI - Compliance Status History - Summary Gen"  | `makemv(orig_tag)` | `mvappend_field(tag,orig_tag)` | extract kv_for_pci_compliance_status_history_summary | timechart span=`pci_compliance_history_span` latest(All) as All



If you look at the SPL for the base search for "PCI - Compliance Status History - Summary Gen", it has following results 


Each of the requirement refers to scorecards on "PCI Compliance Posture"


Based on the search for "Compliance Status History" 



- Where “All” requirement has rolled up number from another score cards on
- The logic is, when we have new notable i.e ( where investigation has not started ) , in this case we will show compliance_status= - 10000000000
-In case we have notable that are being investigated they will have compliance_status=0
-If all the investigation get closed -when the search run in that case compliance_status= 10000000000

0 Karma
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...