Splunk Search

How to edit my search to get a count of FieldA per FieldB and per FieldC where the number of FieldB is greater than 3?

Path Finder

Good afternoon and happy monday!

I'm working on trying to figure out a way to do the following :
Count of vulnerabilities per eventKey, per Application where the number of eventKeys is greater than 3.

Basically, if a certain app has assessments performed more than 3 times and one of the vuln results is not 0, then we want to flag them as a security risk.

What I have so far, which isn't working:

search appname="*" eventtype="Complete" | dedup CompltdDate | stats dc(eventKey) by appname |  eval vuln_count=+Vulnerabilities+" Outstanding Vulnerabilities - - - "+eventKey | stats values(vuln_count) AS Total_Vuln by appname APS_UAID | eval unique_vulns=mvcount(vuln_count) | sort = -unique_vuln
Tags (3)
0 Karma
1 Solution

Revered Legend

Give this a try

search appname="*" eventtype="Complete" | dedup CompltdDate | stats count(Vulnerabilities) as Vulnerabilities by eventKey appname | eventstats dc(eventKey) as eventKeysCount by appname | where eventKeysCount>3

Based on your current query, it's difficult to find out what all fields are available and useful for your requirement. Please provide what all fields are available in all events and define their values for better answer.

View solution in original post

Revered Legend

Give this a try

search appname="*" eventtype="Complete" | dedup CompltdDate | stats count(Vulnerabilities) as Vulnerabilities by eventKey appname | eventstats dc(eventKey) as eventKeysCount by appname | where eventKeysCount>3

Based on your current query, it's difficult to find out what all fields are available and useful for your requirement. Please provide what all fields are available in all events and define their values for better answer.

View solution in original post

Path Finder

Here's what I have for the table, and what the data looks like

APS_UAID | accessor | CompltdDate | ScanResult | Vulnerabilities | appname | eventKey | dataType

001 | name 1 | 2015-03-04 17:51:00 | Failed | 16 | application A | 20150304Rescan | Pii,Pci,Whatever
001 | name 1 | 2015-08-19 9:18:00 | Failed | 28 | application A | 20150819Rescan| Pii,Pci,Whatever
001 | name 1 | 2014-11-22 14:30:00 | Failed | 71 | application A | 20141122Baseline| Pii,Pci,Whatever

I would like to organize this like-

appname | APS_UAID | Vulnerabilities per Assessment ID
name 1 | APS_3001 | 16 - 20150304Rescan

__________________________ | 28 - 20150819Rescan
__________________________ | 71 - 20141122Baseline

| stats count by appname APS_UAID Vulnerabilities eventKey | eval vuln_count=+Vulnerabilities+" Outstanding Vulnerabilities - - - "+eventKey | stats values(vuln_count) AS "Total Vulnerabilties per Assessment ID" by appname APS_UAID | eval unique_vulns=mvcount(vuln_count) | sort by eventKey, appname

That query will do that part of it, but it will show all of them. I need to only show more than 3 assessments where none of them = 0.

If there are more than 3 scans completed per App and they are still vulnerabilities. This is how we plan to keep application owners accountable for patching and securing their internet facing applications.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!