Hi,
I'm new to Splunk but getting a lot of value from it. I've gotten a reasonable way using trial and error and a lot of referring to the forums and help, but I've now hit a challenge I can't solve, which is a bit fiddly to describe. Here goes...
I have a data set that's imported once a week, which contains vulnerability information about computers, pulled from a scanning system. I've been able to use "stats" to create a table of devices and the number of vulnerabilities per device. I had to use "dedup" so the same vulnerability didn't show up multiple times - although the data is added weekly I'm using 4 weeks worth of results in my search, to ensure I'm not missing out devices that may come and go.
However what I've now realised is that until a vulnerability falls outside my 4 week date range it'll stay in the report, even if its been resolved.
So as an example:
Device1 has 3 results (representing defects) in the data import for week 1.
By week 2, 1 of these defects (say "defect1") is fixed. The import for that week now shows 2 results for device1 (defects2 and 3).
At the moment my report continues to show 3 defects until I hit week 6, when the defect that was fixed falls out of the 4 week range.
Every result has a date detected associated with it. What I want to do is only include results where the detected date matches whatever the latest detected date is for any defect against each device. So in my case above, once I've imported data for week 2 and am looking at 4 weeks worth together, defect1 will be in that data set but its detected date will be older than that for defect2 and defect3, so it could be safely ignored.
I can generate a table of devices showing each device and the correct latest "last detected" date that I would want to filter on (it could be different for each device), as follows:
| stats max(LastDetected) by Device
However I can't see a way to then use that calculated data to filter against the whole data set, as I've already piped it to get that information. I looked at using "eval" but that seems to be use data within each record discretely, rather than calculating across records, as stats allows.
I've not done a very good job explaining it so apologies in advance. If you can make head or tail of what I'm asking and have any wisdom you can share it may save my sanity...
... View more