Solved: Forescout: How to line graph month over month AV c...

tmaltizo · ‎10-11-2016

We have obtained counts for each status description using the following search.....

index="forescout" sourcetype="fs_av_compliance" description="Server*" | dedup src_nt_host | search status="non-compliant" | stats count by description | fields description, count

We'd like to create a line/area graph per status description with the count of hosts over time to determine if we're improving on av compliance over time.

Status descriptions:
Server AV Irresolvable
Server Antivirus Software is NOT installed
Server Corp AV is not installed
Server Symantec AV Running, But Defs older than 3 weeks
Server Symantec AV installed but Not Running
Server Symantec and McAfee AV Installed

Thanks in advance for your help!
Trista

sundareshr · ‎10-11-2016

Try this (feel free to adjust the span=1h)

index="forescout" sourcetype="fs_av_compliance" description="Server*" | dedup src_nt_host | search status="non-compliant" | timechart span=1h count by description

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/timechart

View solution in original post

sundareshr · ‎10-11-2016

Try this (feel free to adjust the span=1h)

index="forescout" sourcetype="fs_av_compliance" description="Server*" | dedup src_nt_host | search status="non-compliant" | timechart span=1h count by description

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/timechart

Forescout: How to line graph month over month AV compliance counts by status description

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases