Splunk Search
Highlighted

Forescout: How to line graph month over month AV compliance counts by status description

Explorer

We have obtained counts for each status description using the following search.....

index="forescout" sourcetype="fs_av_compliance" description="Server*" | dedup src_nt_host | search status="non-compliant" | stats count by description | fields description, count

We'd like to create a line/area graph per status description with the count of hosts over time to determine if we're improving on av compliance over time.

Status descriptions:
Server AV Irresolvable
Server Antivirus Software is NOT installed
Server Corp AV is not installed
Server Symantec AV Running, But Defs older than 3 weeks
Server Symantec AV installed but Not Running
Server Symantec and McAfee AV Installed

Thanks in advance for your help!
Trista

0 Karma
Highlighted

Re: Forescout: How to line graph month over month AV compliance counts by status description

Legend

Try this (feel free to adjust the span=1h)

index="forescout" sourcetype="fs_av_compliance" description="Server*" | dedup src_nt_host | search status="non-compliant" | timechart span=1h count by description

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/timechart

View solution in original post

0 Karma