Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate vulnerabilty age by month with vulnerabilities that span over a month

unitrium
Explorer
‎10-08-2020 04:02 AM

Hi,

I would like to create a graph showing the average vulnerability age for each month by severity. I use this search :

 

 

| tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime,count from datamodel=Vulnerabilities.Vulnerabilities by _time Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity span=1mon | `drop_dm_object_name("Vulnerabilities")` | where firstTime!=lastTime AND severity!="informational" | eval age=round((lastTime-firstTime)/86400) | eval _time=lastTime | timechart span=1mon avg(age) by severity | fields _time low medium high critical

 

 

However the age is calculated independently for each month. Meaning that if a vulnerability spans over multiple month its age will cap at 30 days maximum for each month in the graph. I'm unsure of how to make it cumulative 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2020 06:01 AM

So you still want it appearing every month (not just the last month) but to make it a running total? How about keeping the minimum firstTime and calculating age using that?

| tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime,count from datamodel=Vulnerabilities.Vulnerabilities by _time Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity span=1mon 
| eventstats min(firstTime) as firstTime by Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity
| `drop_dm_object_name("Vulnerabilities")` 
| where firstTime!=lastTime AND severity!="informational" 
| eval age=round((lastTime-firstTime)/86400) 
| eval _time=lastTime 
| timechart span=1mon avg(age) by severity 
| fields _time low medium high critical

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2020 05:32 AM

Do you need the time element to the tstats?

| tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime,count from datamodel=Vulnerabilities.Vulnerabilities by  Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity | `drop_dm_object_name("Vulnerabilities")` | where firstTime!=lastTime AND severity!="informational" | eval age=round((lastTime-firstTime)/86400) | eval _time=lastTime | timechart span=1mon avg(age) by severity | fields _time low medium high critical
0 Karma
Reply
Solved! Jump to solution

unitrium
Explorer
‎10-08-2020 05:45 AM

I think it needed for the span=1mon so I can get the firstTime and lastTime for each month.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2020 06:01 AM

So you still want it appearing every month (not just the last month) but to make it a running total? How about keeping the minimum firstTime and calculating age using that?

| tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime,count from datamodel=Vulnerabilities.Vulnerabilities by _time Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity span=1mon 
| eventstats min(firstTime) as firstTime by Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity
| `drop_dm_object_name("Vulnerabilities")` 
| where firstTime!=lastTime AND severity!="informational" 
| eval age=round((lastTime-firstTime)/86400) 
| eval _time=lastTime 
| timechart span=1mon avg(age) by severity 
| fields _time low medium high critical

 

0 Karma
Reply
Solved! Jump to solution

unitrium
Explorer
‎10-08-2020 06:10 AM

Seems to be closer to what I need, I'm just wondering what happens when a vulnerability is fixed, will it's average still be counted for the following months ?
If yes I was thinking to add an if clause in the eval age so that the age for the month should be 0 if lastTime!=_time
Would that work ?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2020 06:21 AM

I think the answer is no since the vulnerability won't show up for the month in the first tstats. You could check this in your results from just the tstats

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
Top