Splunk Enterprise Security

Vulnerbaility data model information is mismatch with datamodel acceleration

New Member


using this query
| from datamodel:"Vulnerabilities"."Vulnerabilities" |stats count by signature getting result 234
using this query
| tstats summariesonly=true values(Vulnerabilities.signature) as vuln_count from datamodel=Vulnerabilities.Vulnerabilities
| mvexpand vuln_count
getting result 194.
So that dashboards are getting wrong information Splunk enterprise security app. Please help me where I did mistake.

0 Karma


The values() option only gives you each value once.
If signature exists more than once, it's only contained once in the result (like an implicit dedup). Therefore, you might less results than by simply counting them.
Use list() instead of values(), that should fix it.

Hope that helps.

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!