Vulnerbaility data model information is mismatch w...

raghu_yara · ‎05-24-2018

Hi,

using this query
| from datamodel:"Vulnerabilities"."Vulnerabilities" |stats count by signature getting result 234
using this query
| tstats summariesonly=true values(Vulnerabilities.signature) as vuln_count from datamodel=Vulnerabilities.Vulnerabilities
| mvexpand vuln_count getting result 194.
So that dashboards are getting wrong information Splunk enterprise security app. Please help me where I did mistake.

xpac · ‎05-24-2018

The values() option only gives you each value once.
If signature exists more than once, it's only contained once in the result (like an implicit dedup). Therefore, you might less results than by simply counting them.
Use list() instead of values(), that should fix it.

Hope that helps.

Vulnerbaility data model information is mismatch with datamodel acceleration

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!