hi, I am new to splunk and am trying to make a querry to give me all vulnerabilities of each computer in my domain. I have the following but it does not seem to work.
sourcetype=my_logs category=4 OR category=5 business=*My_business* |dedup host | stats count(signature) by host as Vuln |sort -count
thank you
You don't specify the results you are getting, but based on the search you're issuing it looks like the problem lies within the dedup host
directive. This will make Splunk include only one event per unique value for the host
field. Remove that part of your search and you should be good to go, i.e.:
sourcetype=my_logs category=4 OR category=5 business=*My_business* | stats count by host as Vuln | sort -count
You can also use top
instead of stats count
which has the advantage that it also gives you how many percent each host contributes to the total number of vulnerabilities.