Splunk Search

How to compare the values of field for Remediate VA Report "Fixed" "Active Vulnerability" and "New Active"?

Rithekakan
Path Finder

I have a result of Vulneraries Scan of Quater1, Quater2 , Quarter3 and the remediate scan result of each Quarter ... all are add to Splunk by upload as csv file. 

After added I got these:  host="SPL-SH-DC"  sourcetype="****"  source="*****.CSV" and  field  IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin

I want a  reports with these three status " New Active Vulnerabilities", "Fixed" and  "Active Vulnerabilities" base on joining  with these 7 fields: IP_Address, Plugin, Plugin_Name, Severity, Protocol, Port, Exploit

I will be apricated for your contribution.

Ritheka kan

Labels (2)
0 Karma

Rithekakan
Path Finder

I have already try with these  but it's result if not correct ...

host="SPL-SH-DC" sourcetype="****"
| stats values(*) as * by IP_Address,Plugin,Plugin_Name,Severity,Protocol,Port,Exploit
| eval status = case(mvcount(source)>1,"Pending", source==1,"New", true(), "Fixed")
| table IP_Address,device,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin,status,Pending_since,source

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...