I have a result of Vulneraries Scan of Quater1, Quater2 , Quarter3 and the remediate scan result of each Quarter ... all are add to Splunk by upload as csv file.
After added I got these: host="SPL-SH-DC" sourcetype="****" source="*****.CSV" and field IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin
I want a reports with these three status " New Active Vulnerabilities", "Fixed" and "Active Vulnerabilities" base on joining with these 7 fields: IP_Address, Plugin, Plugin_Name, Severity, Protocol, Port, Exploit
I will be apricated for your contribution.
Ritheka kan
I have already try with these but it's result if not correct ...
host="SPL-SH-DC" sourcetype="****"
| stats values(*) as * by IP_Address,Plugin,Plugin_Name,Severity,Protocol,Port,Exploit
| eval status = case(mvcount(source)>1,"Pending", source==1,"New", true(), "Fixed")
| table IP_Address,device,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin,status,Pending_since,source