Splunk Search

How do I plot events returned from my search on a scatter graph over time?

SecureIA
Path Finder

Hi helpful people,

I wish to plot login events on a scatter graph. I would like to show when logins have occurred and on what host. (preferably color can symbolize a certain host if that is possible). Here is my search below:

host=??? NOT host=??? NOT host=??? NOT username=??? NOT username=??? NOT username=??? NOT username=??? "new session"

This search returns all the login events, but I cannot seem to understand how to use the scatter graphs in Splunk.

Any help would be truly appreciated.

0 Karma

jplumsdaine22
Influencer

Hello,

Welcome to splunk. If you have not already done so I highly recommend going through the search tutorial. It will take you a few hours but you will learn a great deal! http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchTutorial/WelcometotheSearchTutorial

First up your search has some redundant terms. Because you have a positive term for host, there is no need to specify NOT host, as host can only have a single value. I would write it like this:

 host=??? AND "new session" NOT (username=??? OR username=??? OR username=??? OR username=???) 

In this case, to generate data for the visualisation yu will need a reporting command. Lets say your events contain a field called foo, then your search should be something like this:

 host=??? AND "new session" NOT (username=??? OR username=??? OR username=??? OR username=???)  | stats count(foo) by username

Then when you select the visualization tab your scatter plot should populate. Your actual reporting search will depend on what data you have and how you want to present it - as I said if you do the search tutorial it will show you what to do.

0 Karma

SecureIA
Path Finder

I have read much of it and I am becoming more and more familiar with Splunk with each passing week. Trouble is that I have never been able to successfully implement an idea on a scatter graph.

The main issue I'm having is that I'm trying to plot against time. Therefore, may I ask whether a timechart be more suitable?

0 Karma

JMichaelis
Path Finder

In this case a timechart would be better, for example:
| timechart span=1h count(foo)
if you want to plot all events with the field foo each hour or
| timechart span=1h count(foo) by username
if you want to see a line for each username.

jplumsdaine22
Influencer

Yep do what @JMichaelis said - you should get the results you're after.

See http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Timechart for more specifics

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...