Splunk Search

Dynamic Views

jam678
Explorer

So I've been asked to determine what the top 5 events are on our network from the traffic, which is simple enough, but then they want timecharts for each event, with the top 10 IPs reporting. Again, pretty simple stuff.

However, I know how to do it if I statically determine the top 5 events (one for each):

sourcetype="type" Event="eventtype" | timechart count by IPAddress

But is there any way to edit the search so that it generates a timechart for whatever the top event happens to be at that time (and then #2-#5)? Say, #6 suddenly becomes #5? Can't seem to figure it out.

EDIT: And I know that the top 10 IPs for each event could be different, hence why 5 separate charts are necessary.

Thanks!

0 Karma

cvajs
Contributor

check out this Answer.
http://splunk-base.splunk.com/answers/43487/iteration-function-syntax

it is what you want, however, it wont be possible to display it in a timeline, only a table showing top 5 error codes with top 10 src per error code along with the count(src) per error code. so you can create a view that uses "earliest=X" and "latest=Y" to get your results for any timeframe.

the timeline snafu is that for each error code event it may have been recorded at different times during the timeframe chosen. you could perhaps bucket the top5(error code) then top10(src) per bucket, say for 10m time slices, but that chart will be messy. is total count per search timeframe good enough?

PLEASE NOTE, reporting on src IP may be mis-leading if the IP comes from DHCP and is not static, so you could have two different IP's in the list which could be the same host, or same IP that has been shared by different hosts during the timeframe of the search, etc. so be careful on how you report this data.

0 Karma

cvajs
Contributor

sourcetype="type" Event="eventtype" earliest=-24h | top eventtype limit=5 | timechart count by IPAddress

everytime it runs it searches for events in last 24hrs, finds the top 5, creates your chart by time.

best to create a whole bunch of saved searches that meet your needs (lookup savedsearches.conf).

does this help? however, i dont think this will display top 10 IP per event, it only displays # of IP over time for all 5 events.

maybe: sourcetype="type" Event="eventtype" earliest=-24h | top eventtype limit=5 | timechart count(eventtype) by IPAddress

i dont think it can be displayed the way you want, reason being, the top 5 events over the requested time period may have occurred at different times. so if all of the top 5 events occurred at different times you then need to attach the top 10 IP's associated to those top 5 events, which means there could be varying #'s of IP per event, but the total # of IP's attached cannot exceed 10, etc. i dont think you can get this type of functionality using timechart.

0 Karma

cvajs
Contributor

this gets close, but i cannot get the src list to represent the top 10 for the event

[search eventtype=cisco_firewall | top error_code limit=5 | table error_code] | stats count,values(src),values(event_desc) by error_code | sort - count

0 Karma

jam678
Explorer

I know that making the pie chart and then drilling down into the slices will satisfy MY requirement. My problem is I have a "boss" who wanted to see the timecharts with this on there. 🙂

I do have a question about your response though - so I can't do a "count" over, say, 24h and let that determine the Top 5 events, then generate timecharts for each of those based on the top 10 IPs for each event?

Also, if this is impossible, that's an acceptable answer too. My Splunk training has all been on-the-job, so I wouldn't be surprised if I'm asking for something outside the scope of the application.

0 Karma

cvajs
Contributor

making 5 individual charts is easy in a view. i think it will be easy to get what you want, however, it cannot be charted on a timeline, it will be displayed as top-10-IP-per-event in a pie chart, where the pie is the event and the 10 slices of the pie are the IP (which will also show % of total for each IP, etc). the reason why it cant display onto a timeline chart is that any one of the top 5 events will have occurred at different times. since nobody else is chiming in i will play around with a view for you tomorrow.

0 Karma

jam678
Explorer

Yeah, the problem is that I'd need 5 separate charts, since having them all on the same chart means that there could be 10 different top IPs (for each event) over the past X time.

I essentially need 5 charts, one for each of the top 5 Events, with the top 10 IPs for that event on the Y axis, and the X axis as _time.

If I can't get it via timechart, I'm at a loss if there's some way to do this dynamically.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...