Re: Any good Viz for process correlation - Splunk Community

Dashboards & Visualizations

Hi,

If I have process Events like

PID | ProcessName | CommandLine | SpawnedByPID
100 | process_1 | process_1_commandLine | 99
101 | process_2 | process_2_commandLine | 100
200 | process_3 | process_3_commandLine | 199
201 | process_4 | process_4_commandLine | 200

Is there any Viz that will map processes in some Folder/EDR like tree (where I can also click on node and get mora info).
For example, final results are based on PID but Viz looks like something like
| -> process_name_99
|----> process_1 (on hower or Click will get token process_1_commandLine)
|--------> process_2

| -> process_name_99
|----> process_3
|-------->process_4

Something like psTree just more advanced and connected by PID not names.

Sounds like you need this app from Splunkbase:

Treeview Viz | Splunkbase

It's good app but not good enough 😞
Missing few additional fields.

For example:
Parent_Process_Label (at least). <<< always Parent_Process_PID is "folder name".

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience, ...