Hello,
I am working with vulnerability scan results which follow this template:
timestamp hostname vulnerability_name
I am doing all sorts of reports for the current month results. This works fine but I currently only have one set of results per month (one scan).
I would like to increase the amount of scans per month and I will end up with the following timeline
-B--[xxxxxxx]-------[xx]---E---
where:
This means that during the month some remediation will happen, so the number of events in the last bunch can be smaller. This last bunch represents the "current status" which I am most interested in (I will be interested in the history of scans someday later :))
I therefore need to discover the latest event in my scanning history and limit my manipulations to events within a 24h range before that event (including the event).
What would be the most natural way to do this?
Thank you!
Like this:
... | stats latest(_time) AS newest BY date_month | eval earliest=newest + 24*60*60 | map search="search earliest=$earliest$ latest=$newest$ other search stuff here"