Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to use a custom field create...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
trevorr2004
Engager
08-24-2016
02:41 PM
I have a search that comes up with a score based off a custom formula from nessus scan results. I want to plot that vulnscore over the past 90 days IE the score from 0-30/30-60/60-90. Can anyone provide a little guidance on how I can make use of timechart with a custom eval field rather than simply running a search and using those results in the timechart. Listed below is my base search.
index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*"
| dedup dest_dns signature_id
|stats count by signature_id cvss_base_score
|eval scoreadjust=floor(cvss_base_score)
| eval scoreadjust=round(pow(scoreadjust * 0.1, 3)*10,2)
| eval riskscore=count*scoreadjust/5500
| stats sum(riskscore) as VulnScore
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-24-2016
03:34 PM
Try this
index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*" earliest=-90d@d
| dedup dest_dns signature_id
| eval range=case(_time>relative_time(now(), "-90d@d") AND _time<relative_time(now(), "-60d@d"), "60-90 days", _time>relative_time(now(), "-60d@d") AND _time<relative_time(now(), "-30d@d"), "30-60 days", _time>relative_time(now(), "-30d@d"), "0-30 days", 1=1, "UNK")
| stats count by range signature_id cvss_base_score
| eval scoreadjust=floor(cvss_base_score)
| eval scoreadjust=round(pow(scoreadjust * 0.1, 3)*10,2)
| eval riskscore=count*scoreadjust/5500
| stats sum(riskscore) as VulnScore by range
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-24-2016
03:34 PM
Try this
index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*" earliest=-90d@d
| dedup dest_dns signature_id
| eval range=case(_time>relative_time(now(), "-90d@d") AND _time<relative_time(now(), "-60d@d"), "60-90 days", _time>relative_time(now(), "-60d@d") AND _time<relative_time(now(), "-30d@d"), "30-60 days", _time>relative_time(now(), "-30d@d"), "0-30 days", 1=1, "UNK")
| stats count by range signature_id cvss_base_score
| eval scoreadjust=floor(cvss_base_score)
| eval scoreadjust=round(pow(scoreadjust * 0.1, 3)*10,2)
| eval riskscore=count*scoreadjust/5500
| stats sum(riskscore) as VulnScore by range
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
trevorr2004
Engager
08-25-2016
08:51 AM
This worked perfectly for a line graph. Do you have any suggestions on how I could use this same search to use the single value to give just a comparison from previous months?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-25-2016
09:09 AM
Try this for the Prev Month comparison (I assume you are referring to trend in single value)
index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*" earliest=-60d@d
| dedup dest_dns signature_id
| bin span=1mon _time
| stats count by _time signature_id cvss_base_score
| eval scoreadjust=floor(cvss_base_score)
| eval scoreadjust=round(pow(scoreadjust * 0.1, 3)*10,2)
| eval riskscore=count*scoreadjust/5500
| stats sum(riskscore) as VulnScore by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
trevorr2004
Engager
08-25-2016
09:32 AM
This worked also. Final question, say I have for instance an eval
eval PatchScorePerHost=PatchScore/5550
and I don't need to sum but need to plot that in timetables also. Is there any function of the stat command to just plot the output of the final eval. Basically I am working on creating a risk score that we can track in splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-25-2016
10:42 AM
Try using values(PatchScorePerHost) for a dedup'd list OR list(PatchScorePerHost) for all entries
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
trevorr2004
Engager
08-25-2016
02:24 PM
I was able to rearrange my equation like such with your guidance.
index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*"
| dedup dest_dns signature_id
| bin span=1mon _time
| stats count by _time signature_id cvss_base_score
| eval scoreadjust=floor(cvss_base_score)
| eval scoreadjust=round(pow(scoreadjust,3)/100)
| eval riskscore=count*scoreadjust/5500
| eval my_time=_time
| convert timeformat="%m-%Y" ctime(my_time)
| stats sum(riskscore) as VulnScore by my_time
Instead of using the static number of 5500, is there a way I could dynamically count my host scan then use that in an eval statement so
stats dc(dest_dns) and then use that instead of the 5500?
Get Updates on the Splunk Community!
Join Us for Splunk University and Get Your Bootcamp Game On!
If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
