Dashboards & Visualizations

Top X chart

DerekKing
Path Finder

Hi,

I'm trying to return my top 3 hosts reporting vulnerabilities, in a bar chart stacked by risk. So this means I want host A B and C, because they report say 100 entries each (as opposed to host D and E only reporting 20 each), and then I want to split each host into the Risk numbers that make up the 100.

So far I have;
index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None" | chart count BY Host,Risk_Factor

This gives me what I want in terms of a stacked chart showing the counts of risk, but I can't seem to return only the top 3.

The search;
index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None" | top limit=3 Host | chart count BY Host,Risk_Factor

seems to break the chart.

Not sure what i'm doing wrong here.

Any help appreciated.

Thanks
Derek.

Tags (1)

somesoni2
SplunkTrust
SplunkTrust

Try this

index="XXX" sourcetype="XXX" source=XXXX Risk_Factor!="None"
| stats count by Host Risk_Factor | sort Risk_Factor,-count | streamstats count as sno by Risk_Factor | where sno < 4 | fields - sno
0 Karma

wpreston
Motivator

I think I made a typo in my other answer, and I can't post comments from my workplace for some reason, so here's a new answer. The "host" in the top and fields commands should be capitalized. Also, your Risk_Factor should probably be included in the main search. How about:

search index="XXX" sourcetype="XXX" source=XXXX Risk_Factor!="None"
[search index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None"
    | top 3 Host 
    | fields Host]
| chart count by Host Risk_Factor
0 Karma

wpreston
Motivator

Sorry, I had it wrong in my earlier answer. There may be a more elegant search to get what you want, but this is what I came up with. Use a subsearch to determine the hosts that you need, then report on the Risk_Factor of those hosts:

search index="XXX" sourcetype="XXX" source=XXXX 
[search index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None"
    | top 3 host 
    | fields host]
| chart count by Host Risk_Factor
0 Karma

DerekKing
Path Finder

Hi, thanks for the help on this. I can't believe i'm having so much trouble.. Neither are working for me unfortunately.

First example gives me null back, and the second tells me that the "search will not match any events".

0 Karma

wpreston
Motivator

How about something like this:

index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None" 
| top Risk_Factor by Host limit=3 
| fields - percent
| chart values(count) AS count by Host Risk_Factor
0 Karma

Moritz
Explorer

Maybe you try something like
| sort by -Risk_Factor | head 3

0 Karma

DerekKing
Path Finder

Hi,

No, this just gives me the first three entries that appear on the chart.

Somehow I need to count the number of entries by host, then sort on that field, and then I guess chart and head

It's the counting all entries by the host i'm struggling with I think....

0 Karma

ThomasControlwa
Path Finder

for me works as folowing.
index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None"
| stats cont by Risk_Factor
| sort by -Risk_Factor
|head 3
"| some statistic"

.. done, so I'm Know that I'm very late, but it works

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...