Hello again and thanks for previous thoughts,
so this is the search:
index=xxxx sourcetype="xxxxx" name="xxxxx*" earliest= -2mon@mon+3w
|dedup host-ip, plugin_name, plugin_family, severity, "ports{}.port", "ports{}.transport" | eval vulhost=if (severity="critical" or severity="high" or severity="medium" or severity="low",'host-ip',null())| stats dc(host-ip) as TH, dc(vulhost) as VH, first(date_month) as ETime, count(eval(severity="critical")) as VH1, count(eval(severity="high")) as VH2, count(eval(severity="medium")) as VH3, count(eval(severity="low")) as VH4, count | fillnull critical, high,medium,low,VH1,VH2,VH3,VH4
|eval RiskValueC=round((VH1+0.75*VH2+0.5*VH3+0.1*VH4)/(VH1+VH2+VH3+VH4)(VH/TH),5)
|stats first(RiskValueC) as "Risk Value 2 months ago" by ETime
|join [search index=xxxx sourcetype="xxxxx" name="xxxxx" earliest=-1mon@mon+3w
|dedup host-ip, plugin_name, plugin_family, severity, "ports{}.port", "ports{}.transport" | eval vulhost=if (severity="critical" or severity="high" or severity="medium" or severity="low",'host-ip',null())| stats dc(host-ip) as TH, dc(vulhost) as VH, first(date_month) as ETime, count(eval(severity="critical")) as VH1, count(eval(severity="high")) as VH2, count(eval(severity="medium")) as VH3, count(eval(severity="low")) as VH4, count | fillnull critical, high,medium,low,VH1,VH2,VH3,VH4
|eval RiskValueL=round((VH1+0.75*VH2+0.5*VH3+0.1*VH4)/(VH1+VH2+VH3+VH4)(VH/TH),5)
|stats first(RiskValueL) as "Last Month Risk Value" by ETime]
|join [search index=xxxx sourcetype="xxxxx" name="xxxxx" earliest=-7d
|dedup host-ip, plugin_name, plugin_family, severity, "ports{}.port", "ports{}.transport" | eval vulhost=if (severity="critical" or severity="high" or severity="medium" or severity="low",'host-ip',null())| stats dc(host-ip) as TH, dc(vulhost) as VH, first(date_month) as ETime, count(eval(severity="critical")) as VH1, count(eval(severity="high")) as VH2, count(eval(severity="medium")) as VH3, count(eval(severity="low")) as VH4, count | fillnull critical, high,medium,low,VH1,VH2,VH3,VH4
Basically I tried doing a 2 months search and then joined the same search 2 more times to have a total of 6 months, but even though I have the Etime field time chart would not order it properly in the line chart.
... View more