Qualys 30 Day trending of Re-Opened Vulnerabilities

The following Splunk Search (query) is for Qualys and will show a trending over 30 days for re-opened vulnerabilities. This query assumes that your index is defined as qualys.

index=qualys HOSTVULN earliest=-30d@d STATUS="RE-OPENED"  | dedup HOST_ID, QID sortby +_time  | join HOST_ID [ search index=qualys HOSTSUMMARY OS="Windows*" NOT "Windows Server*" | where cidrmatch("10.128.0.0/9", IP) ] | timechart span=1d count(QID) by SEVERITY

* DISCLOSURE* - I did not create this query. That credit goes to Jeff Leggett.