Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

multivalue field - missing a week

omcollia
Engager
‎01-22-2025 06:29 AM

 

I have a multivalue field called weeksum that contains the following values

2024:47 2024:48 2024:49 2024:50 2024:51 2024:52 2025:01 2025:02 2025:03

In this case, from the first to the last week, there are no missing weeks. I would like to create a field that identifies if there are any missing weeks in the sequence.

For example, if week 2024:51 is missing, the field should indicate that there is a gap in the sequence.

Please note that the weeksum multivalue field already consists of pre-converted values, so converting them back to epoch (using something like | eval week = strftime(_time, "%Y:%U")) does not work.

Labels (2)
Labels
0 Karma
Reply

omcollia
Engager
‎01-22-2025 07:38 AM

I will explain my issue from the beginning to make it clearer.

I have an index that contains vulnerabilities related to an IP, and on Splunk, I receive VA data every week. I would like to check based on my IP and vulnerabilities for different cases:

  1. Which vulnerabilities are new, i.e., those VA that appear only in the current week.
  2. Which vulnerabilities have reappeared in a week after being absent (I think I should check when a VA is missing for a week and then reappears, perhaps by looking at when the time between results is greater than 7 days).
  3. When a vulnerability has disappeared, i.e., when the last week in which we had that VA is not the same as the current one.**
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-22-2025 08:27 AM

Hi @omcollia ,

ok, you need a completely different thing!

you should run a search to understand if a vulnerability is present in more weeks, so, if vulnerabilities are contained in a fied called vulnerability, you could run something like this:

<your_search>
| eval weeksum=strftime(_time,"%Y:%V")
| stats 
     dc(weeksum) AS weeksum_count
     values(weeksum) AS weeksum
     BY vulnerabilities
| eval present_weeksum=strftime(now(),"%Y:%V")
| eval status=case(
     weeksum_count=1 AND weeksum=present_weeksum,"Present in Last Week",
     weeksum_count=1 AND NOT weeksum=present_weeksum,"Present in Week: ".weeksum,
     weeksum_count>1,"Present in More Weeks")

you can customize this search using the field you have for vulnerabilities and the additional conditions for status following my approach.

Ciao.

Giuseppe

0 Karma
Reply

omcollia
Engager
‎01-22-2025 07:17 AM
 

Here’s the translation of your text into English:

"If I run this command:

| eval year=substr(weeksum,1,4)

the field remains empty, maybe because my field weeksum comes from an eventstats command: | eventstats values(week) as weeksum by IP,dest_ip,plugin_id

and maybe the multivalue field is in a format that's not readable?"

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-22-2025 07:20 AM

Hi @omcollia ,

I suppose that your inserted the weeksum extraction with eventstat before the eval.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2025 06:44 AM

Border case question (I like those) - how do you know how many weeks a year has? As silly as it sounds - depending on a particular year and how you're counting a year can have between 52 and 54 weeks.

0 Karma
Reply

omcollia
Engager
‎01-22-2025 07:39 AM

Perhaps I just need to check when more than 7 days have passed between one VA and the next.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-22-2025 06:43 AM

Hi @omcollia ,

you could use the delta command to check if the difference between one value and the following is 1, something like this:

<your_search>
| eval year=substr(weeksum,1,4), week=substr(weeksum,5,2)
| sort year week
| delta weeksum AS prevweeksum
| delta week AS prevweek
| delta year AS prevyear
| eval diff=week-prevweek
| search year=prevyear diff>1
| table weeksum prevweeksum year prevyear week prevweek

in this way, if the search will have results there's some error.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk &#43; Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...

Data Management Digest – January 2026

Welcome to the January 2026 edition of Data Management Digest! Welcome to the January 2026 edition of Data ...

Splunk SOAR Now Available on Google Cloud Platform

We’re excited to announce that Splunk SOAR is now natively available as a SaaS solution on Google Cloud ...