I have several searches I use to trend historic data, however they take a long time to complete. The data is historic so it doesn't change, but will have the current data added to it. I wanted to see if anyone had tried or had thoughts about saving the data to a lookup with outputlookup, and then using that for future searches? ... View more

Im trying to show a trend in event data by platform. I want to create a line chart showing the last 6 months with one data point for each month. That data point should be the sum of an event field for the previous 6 months. Assets in the platform group can be repeated in that 6 month period, so I only want the most recent value for that period. My data looks like Platform Asset Event_count date Windows AssetA 25 1/1/2017 Windows AssetA 32 1/9/2017 Windows AssetA 13 8/1/2017 Linux AssetA 56 Linux AssetB 24 This is what I have come up with, but it is only showing one data point, and I would like the x-axis values to just be the month name. index=foo | fields asset platform event_count | bucket _time span=6mon | dedup asset date | timechart span=1mon sum(event_count) by platform Im sure this isn't close to correct, so any help is greatly appreciated. ... View more

Im trying to show a trend using a linechart. It should show the previous 6 months and have a data point once for each month. The data point should be sum of events for the previous 6 months, and the labels across the x-axis should just be the month name. For example if today is Dec 15, the x-axis would have the labels July, Aug, Sept, Oct, Nov, Dec. The July data point would be the sum of the value of field1 for all events that occurred in Feb-July. The Dec data point would be the sum of the value of field1 for July - the current date in Dec. Finally, if for some reason there are no events in that time period the line should not go to 0, but the last two data points should connect. How would I create a search like this? ... View more

I have combined data from two searches and want to compare them to identify what is new in the second search, what is removed from the first, and what is persistent across both searches. My data looks like: asset event search 1 a 1st 1 a 2nd 1 b 1st 1 c 2nd I want the results to look like asset event status 1 a persistent 1 b removed 1 c new How would I go about doing this? Im thinking a combination of eval with nested if statements, but really not sure if this is the best approach or how to execute. ... View more

I'm running the following search, but when I add the dedup line my d_name field goes blank. I have two sourcetypes both containing the field d_id. Sourcetype1 has the fields d_id, d_name. Sourcetype2 has the fields d_id, s_id, status. If the dedup line is removed all the fields are populated, but I need to count each s_id once per d_id. index=d_index | dedup d_id s_id | eval S1=mvfilter(match(status, "Open")) | eval S2=mvfilter(match(status, "Closed")) | eval S3=mvfilter(match(status, "Ready")) | stats values(d_name), count(S1) AS Open, count(S2) AS Closed, count(S3) AS Ready by d_id ... View more

I have a field for a CVSS vector, and I want to parse it so I can compare each section to a lookup and put it in layman's terms in its own field. For example CVSS vector AV:N/AC:L/Au:N/C:N/I:N/A:P My lookup has two fields Vector Definition AV:N Remotely Exploitable AC:L Easily Exploitable Then I want a field named Access_Vector Remotely Exploitable and so on. I think Im good on the lookup and creating the table, but how do I parse the cvss vector so I can compare them to the lookup? ... View more