For the purpose of this question, a given event contains the following fields:
vulnerability name, data center, ip address
Events are generated on a vulnerability name basis, so that each event will have a unique vulnerability name but may have duplicate values as other events for ip address and data center. Each data center has a different number of ip addresses associated with it.
Goal:
Identify the count for 5 unique field values (vulnerability name) per data center. Calculate the percent of unique ip address field values per data center that also have one of the 5 specified vulnerability name field values.
Current search:
some search (vulnerability name=”vuln 1“ OR vulnerability name=”vuln 2“ OR vulnerability name=”vuln 3“ OR vulnerability name=”vuln 4“ OR vulnerability name=”vuln 5“)
|stats count by Data Center,Vulnerability name
Current output:
Data Center Vulnerability Name Count
Data Center A Vuln 1 75
Data Center A Vuln 3 20
Data Center A Vuln 4 6
Data Center A Vuln 5 15
Data Center B Vuln 2 75
Data Center B Vuln 5 18
Data Center C Vuln 3 24
The problem with my search at this point is that it eliminates any events that do not contain one of the 5 unique vulnerabilities. Therefore, I cannot reference the total number of IP addresses that may belong to a data center in order to calculate a percentage.
Desired Output:
Data Center Vulnerability Name Count Vulnerable IP Addresses
Data Center A Vuln 1 75 37%
Data Center A Vuln 3 20 10%
Data Center A Vuln 4 6 3%
Data Center A Vuln 5 15 7%
Data Center B Vuln 2 75 12%
Data Center B Vuln 5 18 3%
Data Center C Vuln 3 24 48%
Note: For this sample desired output, Data Center A has 200 IP addresses, B has 600, and C has 100.
... View more