×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
cave_splunker
Explorer
Member since: ‎05-04-2021
‎05-20-2023
Community Statistics
Posts 5
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎05-04-2021
View All

Re: How is frozenTimePeriodInSecs applied?

by in Deployment Architecture
‎05-19-2023 01:52 PM
‎05-19-2023 01:52 PM
Thank you for the link update! ... View more

Re: Comparing a pair of unique fields with a commo...

by in Splunk Search
‎06-07-2021 04:33 PM
‎06-07-2021 04:33 PM
It took me a bit to understand what you were doing, which is very clever.  The scans are imported as earliest first, however the vulnerability data doesn't seem to have a specific ordering.  We weren't able to get the data to count properly.  We're currently focusing on this month vs the last, but are considering expanding out a longer trend such as the last 6 months. Knowing that we also want to calculate the amount of vulnerabilities that remained between scans, and the number that are no longer in the latest scan, is there a way to filter on that? Such as: if in Scan X but not Scan Y, label "new".  If in scan X and scan Y, label "persistent".  Else (in Scan Y but not Scan X) label remediated, and do a count on those labels? ... View more

Re: Comparing a pair of unique fields with a commo...

by in Splunk Search
‎05-26-2021 08:27 PM
‎05-26-2021 08:27 PM
Thanks we did that and are playing around to see if we can get the solution to calculate / print properly.  What do you mean by converting values into filter? ... View more

Re: Comparing a pair of unique fields with a commo...

by in Splunk Search
‎05-26-2021 04:49 PM
‎05-26-2021 04:49 PM
This is a very interesting approach.  Unfortunately, list() seems to be capped to 100 results, and we have a few thousand entries. ... View more

Comparing a pair of unique fields with a common de...

by in Splunk Search
‎05-26-2021 02:11 PM
1 Karma
‎05-26-2021 02:11 PM
1 Karma
I'm trying to create a dashboard that shows the count of new vulnerabilities between this month and last month, using scan_id as the differentiator.  The vuln data comes in as a csv with asset_id, scan_id, and vuln_id.  The db will have separate queries for unique and total values, based off vuln_id.  My current logic for total vulns is: this_month=count(List of vulns from scan 'x' not in list of vulns from scan 'y') last_month=count(List of vulns from scan 'y' not in list of vulns from scan 'z') index=vulns sourcetype=vuln_scan scan_id = XXXXXX NOT [ search index=vulns sourcetype=vuln_scan scan_id = YYYYYY ] | stats count(vuln_id) as events | eval period=“last_month" | append [ search index=vulns sourcetype=vuln_scan scan_id = YYYYYY NOT [ search index=vulns sourcetype=vuln_scan scan_id = ZZZZZZ ] | stats count(vuln_id) as events | eval period=“this_month”] | fields events, period I feel like there is a much more optimal way to do this, especially since i'm also going to report on persistent and remediated vulnerabilities.  I tried using case (or nested if) to create fields for "this_month", "last_month", and "previous_month", but can't  figure out how to subtract out Y from X without using multiple searches.  The subtraction has to happen before the count, since not all vulns are 'new'.  Any help would be greatly appreciated.  Thanks! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-20-2023 03:19 AM
Karma from
View All
Karma given to
View All