Re: Vulnerbaility data model information is mismat...

raghu_yara · ‎05-24-2018

Hi,

using this query
| from datamodel:"Vulnerabilities"."Vulnerabilities" |stats count by signature getting result 234
using this query
| tstats summariesonly=true values(Vulnerabilities.signature) as vuln_count from datamodel=Vulnerabilities.Vulnerabilities
| mvexpand vuln_count getting result 194.
So that dashboards are getting wrong information Splunk enterprise security app. Please help me where I did mistake.

xpac · ‎05-24-2018

The values() option only gives you each value once.
If signature exists more than once, it's only contained once in the result (like an implicit dedup). Therefore, you might less results than by simply counting them.
Use list() instead of values(), that should fix it.

Hope that helps.

Vulnerbaility data model information is mismatch with datamodel acceleration

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Vulnerbaility data model information is mismatch with datamodel acceleration

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!