Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Running a query using wildcards for a value returns different counts than if I choose one of the wildcard fields.

klawman
Explorer
‎12-09-2014 05:45 AM

I have a script that runs againts Qualys vulnerability information and does a count of vulnerabilities by OS (a field generated by Qualys).

index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED" earliest=-1d@d | dedup HOST_ID, QID | search STATUS!="FIXED" |join QID [search index=qualys QID_INFO PATCHABLE=1] | join HOST_ID [search index=qualys HOSTSUMMARY: **OS="Windows*"** | where cidrmatch("10.128.0.0/9", IP) ] | stats dc(QID) as #_Vulns , count(QID) as Total_Vulns by OS | sort -Total_Vulns | addcoltotals #_Vulns, Total_Vulns.

When I use the wildcard OS="Windows*" I get a breakdown like the following:

Windows 7 Enterprise Service Pack 1 283 38624
Windows XP Service Pack 3 109 9973
Windows 8 Enterprise 153 1643
Windows XP 2 86
Windows NT4 1 70

If I choose one of the OS choices specifically (for example, the "Windows 7 Enterprise Service Pack 1") with the same query I get different results.

index=qualys HOSTVULN  SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED" earliest=-1d@d |  dedup HOST_ID, QID | search STATUS!="FIXED" |join QID [search index=qualys QID_INFO PATCHABLE=1] |  join HOST_ID [search index=qualys HOSTSUMMARY:  **OS="Windows 7 Enterprise Service Pack 1"**  | where cidrmatch("10.128.0.0/9", IP)  ] | stats dc(QID) as #_Vulns , count(QID) as Total_Vulns by OS | sort -Total_Vulns | addcoltotals #_Vulns, Total_Vulns

Windows 7 Enterprise Service Pack 1 287 62569

I am guessing Splunk hits some limiter on returns when using the wildcard but I can't figure out where in the process it stalls/quits. Is it in the timeframe? Is there a truncation the moment it finds an Event in the wildcard that matches the "earliest" criteria that is then skipped if I perform a more granular search? It's the same search and the same data-set so whatever is leading to the difference in answers has got to be in the Splunk processing. I'm just trying to nail down 'where'.

Tags (2)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎12-09-2014 11:03 AM

Hi klawman,

IF you're hitting any limit, than it is not related to search using earliest - but to your two subsearches and the join.

Read more about the limits in the docs http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Aboutsubsearches

btw, move search STATUS!="FIXED" to the base search like this:

index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED"  STATUS!="FIXED" earliest=-1d@d

which will perform much better.

cheers, MuS

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...