How to search weekly trending for the past 30 days...

marceldera · ‎11-18-2022

I have this query

index = tenable sourcetype="tenable:io:vuln" state!=fixed eventtype="*"
| dedup dns_name plugin.id
| eval discovery = strptime(last_found, "%Y-%m-%dT%H:%M:%S.%3N%Z") - strptime(first_found, "%Y-%m-%dT%H:%M:%S.%3N%Z")
| eval Age = round(discovery / 86400, 2)
| eval first_found=strftime(strptime(first_found,"%Y-%m-%dT%H:%M:%S.%3N"),"%d-%B-%y")
| eval last_found=strftime(strptime(last_found,"%Y-%m-%dT%H:%M:%S.%3N"),"%d-%B-%y")
| table plugin.id dns_name first_found last_found Age check_type category severity

I am trying to create a trending chart that shows the number of plugin.id by week for the past 30 days.

yuanliu · ‎11-18-2022

You didn't ask a question, or explain what difficulty you have. Make sure you present these elements so others can help you.

If I must speculate, you have tried timechart and it didn't work for some reason? What is your test code and what is your output?

If I must speculate, first_found, last_found, etc., are unrelated to number of plugin.id. In other words, most search terms you listed are not necessary for the task at hand? This simple search should suffice if your requirement is simply a trending chart that shows the number of plugin.id by week for the past 30 days.

index = tenable sourcetype="tenable:io:vuln" state!=fixed eventtype="*"
| dedup dns_name plugin.id
| timechart dc(plugin.id)

marceldera · ‎11-18-2022

I figure it out

How to search weekly trending for the past 30 days?

chart

stats

tstats

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk