Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Finding time (in days) that server has not been patched for a critical vulnerability

mbtsoltis
Explorer
‎11-13-2021 03:19 PM

Thanks in advance for any help.

I'm trying to find the days that a Device has not been patched for Critical Severity vulnerability (currently not patched). The example below should return 3 days for Device Server01.  Tried stats and streamstats but not able to get it to to produce below results

DeviceMessage_time
Server01Severity Critical Patch Missing11/1/2021 2PM
Server01Ok (Fully Patched)11/2/2021 2PM
Server01Severity Critical Patch Missing11/3/2021 2PM
Server01Severity Critical Patch Missing11/3/2021 6PM
Server01Severity Critical Patch Missing11/4/2021 2PM
Server01Severity Critical Patch Missing11/5/2021 6PM (latest event)
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-14-2021 02:27 AM

Try something like this

| makeresults 
| eval _raw="Device	Message	_time
Server01	Severity Critical Patch Missing	11/1/2021 2PM
Server01	Ok (Fully Patched)	11/2/2021 2PM
Server01	Severity Critical Patch Missing	11/3/2021 2PM
Server01	Severity Critical Patch Missing	11/3/2021 6PM
Server01	Severity Critical Patch Missing	11/4/2021 2PM
Server01	Severity Critical Patch Missing	11/5/2021 6PM (latest event)"
| multikv forceheader=1
| eval _time=strptime(time,"%d/%m/%Y %I%p")



| bin span=1d _time
| stats values(*) as * by _time Device
| streamstats count(eval(Message=="Severity Critical Patch Missing")) as days reset_before="("match(Message,\"Ok \(Fully Patched\)\")")" by Device

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-14-2021 10:11 AM

Question is whether you want current state or any historic occurrences?

Because if you just want to have current status - it's relatively easy

<your search>
| stats max(_time) as maxtime by Message Device 
| xyseries Device Message maxtime 
| rename "Ok (Fully Patched)" as ok 
| rename "Severity Critical Patch Missing" as crit
| eval state=case(ok>crit,"OK",1=1,tostring((crit-ok)/86400)." days overdue")

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-14-2021 02:27 AM

Try something like this

| makeresults 
| eval _raw="Device	Message	_time
Server01	Severity Critical Patch Missing	11/1/2021 2PM
Server01	Ok (Fully Patched)	11/2/2021 2PM
Server01	Severity Critical Patch Missing	11/3/2021 2PM
Server01	Severity Critical Patch Missing	11/3/2021 6PM
Server01	Severity Critical Patch Missing	11/4/2021 2PM
Server01	Severity Critical Patch Missing	11/5/2021 6PM (latest event)"
| multikv forceheader=1
| eval _time=strptime(time,"%d/%m/%Y %I%p")



| bin span=1d _time
| stats values(*) as * by _time Device
| streamstats count(eval(Message=="Severity Critical Patch Missing")) as days reset_before="("match(Message,\"Ok \(Fully Patched\)\")")" by Device
0 Karma
Reply
Solved! Jump to solution

mbtsoltis
Explorer
‎11-14-2021 02:48 PM

Thanks this helped me go in the right direction and focus on using streamstats

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...