Re: Charting results from top, and doing drilldown...

jharris1111 · ‎08-08-2013

I have a few searches / dashboards which give me basically what I want, mostly things like "top 5 alerts" reports from a network activity log. They work great in the Search view, showing the alert types, number/count of hits, and percentage in a table.

But, when I graph that on the dashboard, it doesn't behave as I would expect. The bar chart shows the alert types as bars. I expected the legend to show the severity types/values (High/Med/Low), but instead it shows "count".

When I click on the bar for "High", the drilldown I expected was "alert=high", instead it's "count=813" -- and there is no "count" field in my logs, so that fails.

I'm sure this is a common scenario for others, can anyone point me to an example search/dash that works as expected?

davecroto · ‎08-08-2013

The mouse over gives me the alert status

davecroto · ‎08-09-2013

Ahhh, ok, check this out:

http://splunk-base.splunk.com/answers/58335/change-chart-bar-color-based-on-data-value

jharris1111 · ‎08-08-2013

Thanks, Dave. That is working better for me.
Initially, I was doing "

| top 3 alert"

With your "

| count by alert" it now works better. The drill-down now does the right thing, e.g. "alert=high".

The remaining oddity is that the chart is still a single color for all bars, and the legend has only "count". The legend is not really important, but I was trying to map the bars to their appropriate color by something like:

["high","med","low"]
[0xFF0000,0xFFFF00,0x00FF00]

davecroto · ‎08-08-2013

Does it look something like this?

|chart count by alert

davecroto · ‎08-08-2013

Need to see your search to what your splitting "by"

Charting results from top, and doing drilldowns?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...