Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate vulnerabilty age by month with vulnerabilities that span over a month

unitrium
Explorer
‎10-08-2020 04:02 AM

Hi,

I would like to create a graph showing the average vulnerability age for each month by severity. I use this search :

 

 

| tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime,count from datamodel=Vulnerabilities.Vulnerabilities by _time Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity span=1mon | `drop_dm_object_name("Vulnerabilities")` | where firstTime!=lastTime AND severity!="informational" | eval age=round((lastTime-firstTime)/86400) | eval _time=lastTime | timechart span=1mon avg(age) by severity | fields _time low medium high critical

 

 

However the age is calculated independently for each month. Meaning that if a vulnerability spans over multiple month its age will cap at 30 days maximum for each month in the graph. I'm unsure of how to make it cumulative 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2020 06:01 AM

So you still want it appearing every month (not just the last month) but to make it a running total? How about keeping the minimum firstTime and calculating age using that?

| tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime,count from datamodel=Vulnerabilities.Vulnerabilities by _time Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity span=1mon 
| eventstats min(firstTime) as firstTime by Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity
| `drop_dm_object_name("Vulnerabilities")` 
| where firstTime!=lastTime AND severity!="informational" 
| eval age=round((lastTime-firstTime)/86400) 
| eval _time=lastTime 
| timechart span=1mon avg(age) by severity 
| fields _time low medium high critical

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2020 05:32 AM

Do you need the time element to the tstats?

| tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime,count from datamodel=Vulnerabilities.Vulnerabilities by  Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity | `drop_dm_object_name("Vulnerabilities")` | where firstTime!=lastTime AND severity!="informational" | eval age=round((lastTime-firstTime)/86400) | eval _time=lastTime | timechart span=1mon avg(age) by severity | fields _time low medium high critical
0 Karma
Reply
Solved! Jump to solution

unitrium
Explorer
‎10-08-2020 05:45 AM

I think it needed for the span=1mon so I can get the firstTime and lastTime for each month.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2020 06:01 AM

So you still want it appearing every month (not just the last month) but to make it a running total? How about keeping the minimum firstTime and calculating age using that?

| tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime,count from datamodel=Vulnerabilities.Vulnerabilities by _time Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity span=1mon 
| eventstats min(firstTime) as firstTime by Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity
| `drop_dm_object_name("Vulnerabilities")` 
| where firstTime!=lastTime AND severity!="informational" 
| eval age=round((lastTime-firstTime)/86400) 
| eval _time=lastTime 
| timechart span=1mon avg(age) by severity 
| fields _time low medium high critical

 

0 Karma
Reply
Solved! Jump to solution

unitrium
Explorer
‎10-08-2020 06:10 AM

Seems to be closer to what I need, I'm just wondering what happens when a vulnerability is fixed, will it's average still be counted for the following months ?
If yes I was thinking to add an if clause in the eval age so that the age for the month should be 0 if lastTime!=_time
Would that work ?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2020 06:21 AM

I think the answer is no since the vulnerability won't show up for the month in the first tstats. You could check this in your results from just the tstats

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...