Splunk Enterprise Security

how to find the total count of vulnerabilities within a search?

Explorer

I'm currently trying to create a search that counts the total vulnerabilities for each property, but it seems that i'm having a problem. when i create the search all of the properties are returning with the exact total amount of vulnerabilities and I know thats incorrect.

Here's the search results:
cve opsdb_property count Total Vulnerabilities
CVE-2011-3389 System1 84 10393
CVE-2019-10160 System2 9 10393
CVE-2019-12735 System3 9 10393
CVE-2016-2183 System4 4 10393
CVE-2011-3389 System5 3 10393
CVE-2017-5715 System 6 3 10393

Here's the search command :
| stats count by cve,opsdb_property
| eventstats sum(count) as "Total Vulnerabilities"
| where opsdb_property!="NONE"
| sort - count

0 Karma
Highlighted

Re: how to find the total count of vulnerabilities within a search?

Influencer

@payton_tayvion Try this

| stats count by cve,opsdb_property | eventstats sum(count) as "Total Vulnerabilities"  by opsdb_property| where opsdb_property!="NONE" | sort - count

View solution in original post

0 Karma