Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Running a query using wildcards for a value returns different counts than if I choose one of the wildcard fields.

klawman
Explorer
‎12-09-2014 05:45 AM

I have a script that runs againts Qualys vulnerability information and does a count of vulnerabilities by OS (a field generated by Qualys).

index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED" earliest=-1d@d | dedup HOST_ID, QID | search STATUS!="FIXED" |join QID [search index=qualys QID_INFO PATCHABLE=1] | join HOST_ID [search index=qualys HOSTSUMMARY: **OS="Windows*"** | where cidrmatch("10.128.0.0/9", IP) ] | stats dc(QID) as #_Vulns , count(QID) as Total_Vulns by OS | sort -Total_Vulns | addcoltotals #_Vulns, Total_Vulns.

When I use the wildcard OS="Windows*" I get a breakdown like the following:

Windows 7 Enterprise Service Pack 1 283 38624
Windows XP Service Pack 3 109 9973
Windows 8 Enterprise 153 1643
Windows XP 2 86
Windows NT4 1 70

If I choose one of the OS choices specifically (for example, the "Windows 7 Enterprise Service Pack 1") with the same query I get different results.

index=qualys HOSTVULN  SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED" earliest=-1d@d |  dedup HOST_ID, QID | search STATUS!="FIXED" |join QID [search index=qualys QID_INFO PATCHABLE=1] |  join HOST_ID [search index=qualys HOSTSUMMARY:  **OS="Windows 7 Enterprise Service Pack 1"**  | where cidrmatch("10.128.0.0/9", IP)  ] | stats dc(QID) as #_Vulns , count(QID) as Total_Vulns by OS | sort -Total_Vulns | addcoltotals #_Vulns, Total_Vulns

Windows 7 Enterprise Service Pack 1 287 62569

I am guessing Splunk hits some limiter on returns when using the wildcard but I can't figure out where in the process it stalls/quits. Is it in the timeframe? Is there a truncation the moment it finds an Event in the wildcard that matches the "earliest" criteria that is then skipped if I perform a more granular search? It's the same search and the same data-set so whatever is leading to the difference in answers has got to be in the Splunk processing. I'm just trying to nail down 'where'.

Tags (2)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎12-09-2014 11:03 AM

Hi klawman,

IF you're hitting any limit, than it is not related to search using earliest - but to your two subsearches and the join.

Read more about the limits in the docs http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Aboutsubsearches

btw, move search STATUS!="FIXED" to the base search like this:

index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED"  STATUS!="FIXED" earliest=-1d@d

which will perform much better.

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...