Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problem with ranges calculation in search

mbasharat
Builder
‎02-02-2021 10:54 AM

Hi,

I have vulnerability dataset. Each vulnerability comes with a score from the scanning tool. Scanning tool has its own calculation and assigns a severity based on that.

We on customer side, calculate Severity based on customer defined score ranges below:

9.0-10.0 > CRITICAL
7.0-8.9 > HIGH
4.0-6.9 > MEDIUM
0.1-3.9 > LOW
0.0 > NONE

Issue is that when data comes from source/scanning tool, it has its own severities which are not always lined up with the above ranges. Our Score ranges above is the main root guideline to use.

Example:
Often times, Severity from data does not match the Score that is passed by the tool as I mentioned above.

A Severity of MAJOR in data coming with a Score of 3.0.
A Severity of MINOR in data coming with a Score of 3.0.
A Severity of CRITICAL in data coming with a Score of 0.0.
A Severity of CRITICAL in data coming with a Score of 10.0 (This is correct and inline with our ranges above)

I need both of the options below:

Desired output 1 (based on score ranges):

SEVERITY_Data  Score_Data   Severity_Adjusted_Score   Severity_Adjusted_Code
MAJOR                             3.0                       Median of 0.1-3.9                               LOW

Desired output 2 (based on SEVERITY_Data e.g. value is MAJOR):

SEVERITY_Data   Score_Data   Severity_Adjusted_Score   Severity_Adjusted_Code
MAJOR                               3.0                      Median of 7.0-8.9                               HIGH


Likewise for the rest of the severities and score ranges. Thanks in advance!!!

Labels (3)
Labels
Tags (1)
0 Karma
Reply

tscroggins
Influencer
‎02-21-2021 09:38 AM

@mbasharat 

It's unclear how you need to aggregate scores or map severity labels, but here's an example using random data that may provide inspiration:

| makeresults count=100
| eval severity=mvindex(split("MINOR,MAJOR,CRITICAL", ","), random() % 3), score=round(10 * random() / 2147483647, 1)
| stats median(score) as score by severity
| rangemap field=score LOW=0.1-3.9 MEDIUM=4.0-6.9 HIGH=7.0-8.9 CRITICAL=9.0-10.0 default=NONE
| rename range as adjusted_severity

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...