Splunk Search

How to edit my search to get a count of FieldA per FieldB and per FieldC where the number of FieldB is greater than 3?

antifreke
Path Finder

Good afternoon and happy monday!

I'm working on trying to figure out a way to do the following :
Count of vulnerabilities per eventKey, per Application where the number of eventKeys is greater than 3.

Basically, if a certain app has assessments performed more than 3 times and one of the vuln results is not 0, then we want to flag them as a security risk.

What I have so far, which isn't working:

search appname="*" eventtype="Complete" | dedup CompltdDate | stats dc(eventKey) by appname |  eval vuln_count=+Vulnerabilities+" Outstanding Vulnerabilities - - - "+eventKey | stats values(vuln_count) AS Total_Vuln by appname APS_UAID | eval unique_vulns=mvcount(vuln_count) | sort = -unique_vuln
Tags (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

search appname="*" eventtype="Complete" | dedup CompltdDate | stats count(Vulnerabilities) as Vulnerabilities by eventKey appname | eventstats dc(eventKey) as eventKeysCount by appname | where eventKeysCount>3

Based on your current query, it's difficult to find out what all fields are available and useful for your requirement. Please provide what all fields are available in all events and define their values for better answer.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

search appname="*" eventtype="Complete" | dedup CompltdDate | stats count(Vulnerabilities) as Vulnerabilities by eventKey appname | eventstats dc(eventKey) as eventKeysCount by appname | where eventKeysCount>3

Based on your current query, it's difficult to find out what all fields are available and useful for your requirement. Please provide what all fields are available in all events and define their values for better answer.

antifreke
Path Finder

Here's what I have for the table, and what the data looks like

APS_UAID | accessor | CompltdDate | ScanResult | Vulnerabilities | appname | eventKey | dataType

001 | name 1 | 2015-03-04 17:51:00 | Failed | 16 | application A | 20150304Rescan | Pii,Pci,Whatever
001 | name 1 | 2015-08-19 9:18:00 | Failed | 28 | application A | 20150819Rescan| Pii,Pci,Whatever
001 | name 1 | 2014-11-22 14:30:00 | Failed | 71 | application A | 20141122Baseline| Pii,Pci,Whatever

I would like to organize this like-

appname | APS_UAID | Vulnerabilities per Assessment ID
name 1 | APS_3001 | 16 - 20150304Rescan

__________________________ | 28 - 20150819Rescan
__________________________ | 71 - 20141122Baseline

| stats count by appname APS_UAID Vulnerabilities eventKey | eval vuln_count=+Vulnerabilities+" Outstanding Vulnerabilities - - - "+eventKey | stats values(vuln_count) AS "Total Vulnerabilties per Assessment ID" by appname APS_UAID | eval unique_vulns=mvcount(vuln_count) | sort by eventKey, appname

That query will do that part of it, but it will show all of them. I need to only show more than 3 assessments where none of them = 0.

If there are more than 3 scans completed per App and they are still vulnerabilities. This is how we plan to keep application owners accountable for patching and securing their internet facing applications.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...