Splunk Enterprise Security

Splunk Enterprise Security: How to add field counts together so that its one field?

payton_tayvion
Path Finder

I'm currently doing a search for top 10 vulnerabilities for a client. I have the search, but I want to combine all of the searches of one system to one field.

EX.
Oracle Java SE 1.7.0_221 / 1.8.0_211 / 1.11.0_3 / 1.12.0_1 Multiple Vulnerabilities (Apr 2019 CPU) (Unix) 835386
Oracle Java SE Multiple Vulnerabilities (October 2018 CPU) (Unix) 743553
RHEL 6 : dbus (RHSA-2019:1726) 794885
RHEL 6 : libssh2 (RHSA-2019:1652) 789371
RHEL 6 : kernel (RHSA-2019:1488) (SACK Panic) (SACK Slowness) 772047
RHEL 6 : python (RHSA-2019:1467) 768655
RHEL 6 : bind (RHSA-2019:1492) 765921

I would like all of the Oracle Java SE, RHEL 6 or any other results to be one field with the total count for that event for chart purposes.

Here is my search:

| tstats count FROM datamodel=Vulnerabilities  where (nodename="Vulnerabilities" Vulnerabilities.severity!="informational") by Vulnerabilities.signature
| sort - count
| head 10
0 Karma
1 Solution

rbar16
Explorer

Try using |addtotals if you want a horizontal addition; this would be for vertical| addtotals row=f col=t labelfield=

https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Addtotals#Syntax

View solution in original post

0 Karma

rbar16
Explorer

Try using |addtotals if you want a horizontal addition; this would be for vertical| addtotals row=f col=t labelfield=

https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Addtotals#Syntax

0 Karma

payton_tayvion
Path Finder

Hi, i don't think this would work due the search results may needing to change. It would probably work if the top 10 vulnerabilities wouldnt change at any given time. One day RHEL could top 10 and one day Google chrome could be top 10

0 Karma

rbar16
Explorer

Maybe I'm missing your questions point but you could mvzip the system to the count. Or just create a mv of the system if it's more than two fields of information and sort by a certain field in the mv. Streamstats or even just a clever use of top.

0 Karma

payton_tayvion
Path Finder

I ended up having to use regex, due to the complication of the search. Thanks a lot !!

0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...