Solved: Re: Forescout: How to generate a report for month ...

tmaltizo · ‎10-26-2016

I need to provide month over month AV compliance given the following calculation:

(Total # AV compliant servers / Total servers) x 100 = % Compliant

Total # AV compliant servers:

index=forescout sourcetype="fs_av_compliance" description="Server*" | dedup src_ip |chart latest(status) as Latest_Status over src_ip | search Latest_Status="compliant" | stats count(src_ip)

Total servers:

index=forescout sourcetype="fs_av_compliance" description="Server*" | dedup src_ip | stats count(src_ip)

I need assistance with the calculation and do this calculation month over month...maybe a date is necessary for this (the 1st of every month)?

Thanks in advance for any help with this!
Trista

sundareshr · ‎10-26-2016

Try this

index=forescout sourcetype="fs_av_compliance" description="Server*" | dedup src_ip | chart count over src_ip by status | addtotals | eventstats sum(Total) as total | where isnotnull(compliant) | eval percCompliant=compliant/total*100 | table src_ip compliant total percCompliant

View solution in original post

sundareshr · ‎10-26-2016

Try this

index=forescout sourcetype="fs_av_compliance" description="Server*" | dedup src_ip | chart count over src_ip by status | addtotals | eventstats sum(Total) as total | where isnotnull(compliant) | eval percCompliant=compliant/total*100 | table src_ip compliant total percCompliant

tmaltizo · ‎10-26-2016

Thanks @sundareshr!

The output I get is the following:
src_ip compliant total percCompliant
1.2.3.4 1 2930 0.034130
1.2.3.5 0 2930 0
.....

How can we get the total all of the compliant "1"s" and then divide that by the total to get one percentage number?

We want to run this at the first of every month and then chart it month over month to see if we're getting better or worse at AV compliance.

sundareshr · ‎10-26-2016

So you don't want by src_ip? Try this

 index=forescout sourcetype="fs_av_compliance" description="Server*" | dedup src_ip | eval src="Of All Devices" | chart count over src by status | addtotals | eval percCompliant=compliant/Total*100 | table src compliant Total percCompliant

tmaltizo · ‎10-26-2016

Yes! That works. Thank you @sundareshr!

So, how do we add this to capture the percCompliant from the 1st of each month and chart it for month over month comparison?

sundareshr · ‎10-26-2016

Like this

Now, depending on the volume of data in your index, this could be a very slow query. To optimize it, you will have to use accelerated datamodel or summary indexes. Here's more on that

http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Usesummaryindexing

http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Aboutdatamodels

tmaltizo · ‎10-26-2016

I'll try that. Ok Thanks!

tmaltizo · ‎10-27-2016

Right now the volume is not too bad. We only have data going back to this June. But, we'll plan to optimize the query. Thanks for the info links!

Now, regarding the current search query, for the given earliest=3mon@mon, would the output be based on the date the query is run? I ran it today, 10/27/2016, so for the previous 3mon, it will do to compliance calculation for 9/27, 8/27, etc....?

sundareshr · ‎10-27-2016

It will be start of the month, so if you run your query today, it will be 9/1, 10/1 etc "-3mon@mon"

tmaltizo · ‎11-01-2016

Thanks for all of your help @sundareshr!

Forescout: How to generate a report for month over month AV compliance?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!