I'm currently doing a search for top 10 vulnerabilities for a client. I have the search, but I want to combine all of the searches of one system to one field.
Oracle Java SE 1.7.0_221 / 1.8.0_211 / 1.11.0_3 / 1.12.0_1 Multiple Vulnerabilities (Apr 2019 CPU) (Unix) 835386
Oracle Java SE Multiple Vulnerabilities (October 2018 CPU) (Unix) 743553
RHEL 6 : dbus (RHSA-2019:1726) 794885
RHEL 6 : libssh2 (RHSA-2019:1652) 789371
RHEL 6 : kernel (RHSA-2019:1488) (SACK Panic) (SACK Slowness) 772047
RHEL 6 : python (RHSA-2019:1467) 768655
RHEL 6 : bind (RHSA-2019:1492) 765921
I would like all of the Oracle Java SE, RHEL 6 or any other results to be one field with the total count for that event for chart purposes.
Here is my search:
| tstats count FROM datamodel=Vulnerabilities where (nodename="Vulnerabilities" Vulnerabilities.severity!="informational") by Vulnerabilities.signature | sort - count | head 10
Try using |addtotals if you want a horizontal addition; this would be for vertical| addtotals row=f col=t labelfield=
Hi, i don't think this would work due the search results may needing to change. It would probably work if the top 10 vulnerabilities wouldnt change at any given time. One day RHEL could top 10 and one day Google chrome could be top 10
Maybe I'm missing your questions point but you could mvzip the system to the count. Or just create a mv of the system if it's more than two fields of information and sort by a certain field in the mv. Streamstats or even just a clever use of top.
I ended up having to use regex, due to the complication of the search. Thanks a lot !!