Activity Feed
- Karma Re: How to edit my search to use a custom field created with eval in my time chart search? for sundareshr. 06-05-2020 12:48 AM
- Posted Re: Best approach for using a sub-search to compare time frames on Splunk Search. 08-29-2016 06:01 AM
- Posted Re: How to include a distinct count in an eval statement? on Splunk Search. 08-26-2016 12:53 PM
- Posted Re: How to include a distinct count in an eval statement? on Splunk Search. 08-26-2016 10:09 AM
- Posted How to include a distinct count in an eval statement? on Splunk Search. 08-26-2016 09:56 AM
- Tagged How to include a distinct count in an eval statement? on Splunk Search. 08-26-2016 09:56 AM
- Tagged How to include a distinct count in an eval statement? on Splunk Search. 08-26-2016 09:56 AM
- Tagged How to include a distinct count in an eval statement? on Splunk Search. 08-26-2016 09:56 AM
- Posted Re: How to edit my search to use a custom field created with eval in my time chart search? on Splunk Search. 08-25-2016 02:24 PM
- Posted Re: How to edit my search to use a custom field created with eval in my time chart search? on Splunk Search. 08-25-2016 09:32 AM
- Posted Re: How to edit my search to use a custom field created with eval in my time chart search? on Splunk Search. 08-25-2016 08:51 AM
- Posted How to edit my search to use a custom field created with eval in my time chart search? on Splunk Search. 08-24-2016 02:41 PM
- Tagged How to edit my search to use a custom field created with eval in my time chart search? on Splunk Search. 08-24-2016 02:41 PM
- Tagged How to edit my search to use a custom field created with eval in my time chart search? on Splunk Search. 08-24-2016 02:41 PM
- Tagged How to edit my search to use a custom field created with eval in my time chart search? on Splunk Search. 08-24-2016 02:41 PM
- Posted Re: Splunk App for Windows Infrastructure: Why is there no data under Group Policy (GPO) Changes? on All Apps and Add-ons. 06-21-2016 11:09 AM
Topics I've Started
08-29-2016
06:01 AM
The AssetTag.csv is how I map systems to Business Units. Nothing is kept track inside that csv about scanned vulnerabilities. Basically I just want to take a search from today and check to see if they still existed 90 days ago to track how effective our patching currently is.
... View more
08-26-2016
12:53 PM
I have the same issue with this query but tried to repeat the previous process. I read and read the stats command page but it's still confusing when doing the max on dest_dns. Could you provide a little logic behind how you come up with these replies?
index=network sourcetype=nessus severity!=informational signature=*Windows* OR signature=*Adobe* OR signature=*Java* OR signature_family="Windows : Microsoft Bulletins" OR signature_family="Red Hat Local Security Checks" OR signature="Google Chrome*" OR signature="Firefox*" OR signature="MS*" OR signature="Flash Player*" OR signature="Solaris*"
| dedup dest_dns signature_id
| bin span=1mon _time
| eval PatchScore=cvss_base_score/5500
| eval Time=_time
| convert timeformat="%m-%Y" ctime(Time)
| stats sum(PatchScore) AS "Avg Host Patch Score" by Time
... View more
08-26-2016
10:09 AM
Worked like a charm. Thanks again sundareshr!
... View more
08-26-2016
09:56 AM
I am currenlty trying to make a search a little more dynamic based off scanned devices rather than a static number
index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*"
| dedup dest_dns signature_id
| bin span=1mon _time
| stats count by _time signature_id cvss_base_score
| eval scoreadjust=floor(cvss_base_score)
| eval scoreadjust=round(pow(scoreadjust,3)/100)
| eval riskscore=count*scoreadjust/5500
| eval my_time=_time
| convert timeformat="%m-%Y" ctime(my_time)
| stats sum(riskscore) as VulnScore by my_time
I want to replace the 5500 with using the dc(dest_dns) for scanned devices rather then a number we think we scan.
Any suggestions on how I can mold my search or include this would be very helpful
... View more
08-25-2016
02:24 PM
I was able to rearrange my equation like such with your guidance.
index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*"
| dedup dest_dns signature_id
| bin span=1mon _time
| stats count by _time signature_id cvss_base_score
| eval scoreadjust=floor(cvss_base_score)
| eval scoreadjust=round(pow(scoreadjust,3)/100)
| eval riskscore=count*scoreadjust/5500
| eval my_time=_time
| convert timeformat="%m-%Y" ctime(my_time)
| stats sum(riskscore) as VulnScore by my_time
Instead of using the static number of 5500, is there a way I could dynamically count my host scan then use that in an eval statement so
stats dc(dest_dns) and then use that instead of the 5500?
... View more
08-25-2016
09:32 AM
This worked also. Final question, say I have for instance an eval
eval PatchScorePerHost=PatchScore/5550
and I don't need to sum but need to plot that in timetables also. Is there any function of the stat command to just plot the output of the final eval. Basically I am working on creating a risk score that we can track in splunk.
... View more
08-25-2016
08:51 AM
This worked perfectly for a line graph. Do you have any suggestions on how I could use this same search to use the single value to give just a comparison from previous months?
... View more
08-24-2016
02:41 PM
I have a search that comes up with a score based off a custom formula from nessus scan results. I want to plot that vulnscore over the past 90 days IE the score from 0-30/30-60/60-90. Can anyone provide a little guidance on how I can make use of timechart with a custom eval field rather than simply running a search and using those results in the timechart. Listed below is my base search.
index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*"
| dedup dest_dns signature_id
|stats count by signature_id cvss_base_score
|eval scoreadjust=floor(cvss_base_score)
| eval scoreadjust=round(pow(scoreadjust * 0.1, 3)*10,2)
| eval riskscore=count*scoreadjust/5500
| stats sum(riskscore) as VulnScore
... View more
06-21-2016
11:09 AM
Have you had any update from them? I've had issues with this and some of the user reports. For it being a Splunk supported app, its kind of clunky.
... View more
