Hi,
I want to add multiple search queries from different chart panels into one consolidated chart panel. I am developing a panel for vulnerabilities that will show "New", "Active", "Re-Opened" and "Fixed" vulnerabilities. I can create and display a each search in a seperate chart panel but unable to add them to combine all in a single consolidated chart panel.
My search queries are
New
index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_condition!=false_positive OR vulnerability_condition!=supressed_until OR vulnerability_condition!=supressed_forever OR vulnerability_condition!=supressed_next_scan | dedup 1 vulnerability_name, asset_name | where first_seen=last_seen | top limit=5 linecount
Active
index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_condition!=false_possitive OR vulnerability_condition!=supressed_forever OR vulnerability_condition!=supressed_until OR vulnerability_condition!=supressed_next_scan vulnerability_shielded=false | dedup 1 vulnerability_name, asset_name | top limit=5 linecount
Re-Opened
index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_scan_state=fixed AND vulnerability_scan_state=active | dedup 1 vulnerability_name, asset_name | top limit=5 linecount
Fixed
index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_scan_state=fixed | dedup 1 vulnerability_name, asset_name | top limit=5 linecount
I want to combine all the result data of such search queries into a single chart panel. Can anybody help me out ?
You could always use a sub-search to accomplish this.. It may be slow since it's an expensive search so you could always put it in a summary index or scale your infrastructure to account for the expensive search.. Another option would be to have separate panels then have your first panel post-process to the other panels downstream
index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_condition!=false_positive OR vulnerability_condition!=supressed_until OR vulnerability_condition!=supressed_forever OR vulnerability_condition!=supressed_next_scan | dedup 1 vulnerability_name, asset_name | where first_seen=last_seen | top limit=5 linecount [search index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_condition!=false_possitive OR vulnerability_condition!=supressed_forever OR vulnerability_condition!=supressed_until OR vulnerability_condition!=supressed_next_scan vulnerability_shielded=false | dedup 1 vulnerability_name, asset_name | top limit=5 linecount]
You could always use a sub-search to accomplish this.. It may be slow since it's an expensive search so you could always put it in a summary index or scale your infrastructure to account for the expensive search.. Another option would be to have separate panels then have your first panel post-process to the other panels downstream
index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_condition!=false_positive OR vulnerability_condition!=supressed_until OR vulnerability_condition!=supressed_forever OR vulnerability_condition!=supressed_next_scan | dedup 1 vulnerability_name, asset_name | where first_seen=last_seen | top limit=5 linecount [search index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_condition!=false_possitive OR vulnerability_condition!=supressed_forever OR vulnerability_condition!=supressed_until OR vulnerability_condition!=supressed_next_scan vulnerability_shielded=false | dedup 1 vulnerability_name, asset_name | top limit=5 linecount]