How to compare the values of field for Remediate V...

Rithekakan · ‎06-29-2022

I have a result of Vulneraries Scan of Quater1, Quater2 , Quarter3 and the remediate scan result of each Quarter ... all are add to Splunk by upload as csv file.

After added I got these: host="SPL-SH-DC" sourcetype="****" source="*****.CSV" and field IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin

I want a reports with these three status " New Active Vulnerabilities", "Fixed" and "Active Vulnerabilities" base on joining with these 7 fields: IP_Address, Plugin, Plugin_Name, Severity, Protocol, Port, Exploit

I will be apricated for your contribution.

Ritheka kan

Rithekakan · ‎06-29-2022

I have already try with these but it's result if not correct ...

host="SPL-SH-DC" sourcetype="****"
| stats values(*) as * by IP_Address,Plugin,Plugin_Name,Severity,Protocol,Port,Exploit
| eval status = case(mvcount(source)>1,"Pending", source==1,"New", true(), "Fixed")
| table IP_Address,device,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin,status,Pending_since,source

How to compare the values of field for Remediate VA Report "Fixed" "Active Vulnerability" and "New Active"?

eval

stats

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms