I have a script that runs againts Qualys vulnerability information and does a count of vulnerabilities by OS (a field generated by Qualys).
index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED" earliest=-1d@d | dedup HOST_ID, QID | search STATUS!="FIXED" |join QID [search index=qualys QID_INFO PATCHABLE=1] | join HOST_ID [search index=qualys HOSTSUMMARY: **OS="Windows*"** | where cidrmatch("10.128.0.0/9", IP) ] | stats dc(QID) as #_Vulns , count(QID) as Total_Vulns by OS | sort -Total_Vulns | addcoltotals #_Vulns, Total_Vulns.
When I use the wildcard OS="Windows*" I get a breakdown like the following:
Windows 7 Enterprise Service Pack 1 283 38624
Windows XP Service Pack 3 109 9973
Windows 8 Enterprise 153 1643
Windows XP 2 86
Windows NT4 1 70
If I choose one of the OS choices specifically (for example, the "Windows 7 Enterprise Service Pack 1") with the same query I get different results.
index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED" earliest=-1d@d | dedup HOST_ID, QID | search STATUS!="FIXED" |join QID [search index=qualys QID_INFO PATCHABLE=1] | join HOST_ID [search index=qualys HOSTSUMMARY: **OS="Windows 7 Enterprise Service Pack 1"** | where cidrmatch("10.128.0.0/9", IP) ] | stats dc(QID) as #_Vulns , count(QID) as Total_Vulns by OS | sort -Total_Vulns | addcoltotals #_Vulns, Total_Vulns
Windows 7 Enterprise Service Pack 1 287 62569
I am guessing Splunk hits some limiter on returns when using the wildcard but I can't figure out where in the process it stalls/quits. Is it in the timeframe? Is there a truncation the moment it finds an Event in the wildcard that matches the "earliest" criteria that is then skipped if I perform a more granular search? It's the same search and the same data-set so whatever is leading to the difference in answers has got to be in the Splunk processing. I'm just trying to nail down 'where'.
Hi klawman,
IF you're hitting any limit, than it is not related to search using earliest
- but to your two subsearches
and the join
.
Read more about the limits in the docs http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Aboutsubsearches
btw, move search STATUS!="FIXED"
to the base search like this:
index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED" STATUS!="FIXED" earliest=-1d@d
which will perform much better.
cheers, MuS