Splunk Search

Visualizing output from top in a bar chart

responsys_cm
Builder

I would like to create a bar chart that lists the top 10 hosts with the highest count of events. But rather than have a single bar representing the count, I want a stacked bar representing the count of each unique class of event (there are five of them).

Thx.

Craig

Tags (1)
0 Karma
1 Solution

Ayn
Legend

So, what you should do is first get the top 10 hosts in a subsearch, then for those 10 get the count per class.

... [search ... | top 10 host | fields host] | top class by host

...then choose a stacked bar chart in the report builder.

View solution in original post

jonuwz
Influencer

Something like this ?

index=_internal series="*" | eval eps=eps*1000 | rangemap field=eps low=0-100 elevated=101-500 high=501-1000 default=severe | table series range | stats count by series range

Then you can do this in postprocess

appendpipe [ stats sum(count) as count by series | eval range="summary" ] | chart sum(count) as count over series by range useother=f | sort - summary | head 10 | fields - summary

The appendpipe sums up the counts by series only (not by range) - so you can get your 'count by host' stats.

It sticks the results at the end of the search results, distinguishing itself with 'range=summary'.

Then you mux the data up into a chart. Once you have this you can sort on 'summary' ( the total number of hits per series / hostname ) , get the top 10, and remove the summary data-series from the chart.

<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
  <label>eps</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="DashboardTitleBar" layoutPanel="viewHeader"/>
  <module name="Message" layoutPanel="navigationHeader">
    <param name="filter">splunk.search.job</param>
    <param name="clearOnJobDispatch">True</param>
    <param name="maxSize">1</param>
    <param name="level">warn</param>
  </module>
  <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="eps1" autoRun="True">
    <param name="search">index=_internal series="*" | eval eps=eps*1000 | rangemap field=eps low=0-100 elevated=101-500 high=501-1000 default=severe | table series range | stats count by series range</param>
    <module name="HiddenPostProcess">
      <param name="search">appendpipe [ stats sum(count) as count by series | eval range="summary" ] | chart sum(count) as count over series by range useother=f | sort - summary | head 10 | fields - summary</param>
      <module name="HiddenChartFormatter">
        <param name="charting.chart">column</param>
        <param name="charting.chart.stackMode">stacked</param>
        <module name="EnablePreview">
          <param name="display">False</param>
          <param name="enable">True</param>
            <module name="JSChart">
              <param name="width">100%</param>
            </module>
        </module>
      </module>
    </module>
  </module>
</view>

John

0 Karma

Ayn
Legend

So, what you should do is first get the top 10 hosts in a subsearch, then for those 10 get the count per class.

... [search ... | top 10 host | fields host] | top class by host

...then choose a stacked bar chart in the report builder.

Ayn
Legend

Yes, makes sense - I can't think of a good solution though! The problem is that once you calculate the top 10 hosts, you've filtered out all the other field information, like severity. You could of course calculate by host AND severity, but then you'll have a problem with determining which the actual top 10 hosts are - you can easily grab the top 10 PAIRS of host and severity, but that's likely not what you want. I've no good idea right now on how to solve this in a postprocess to be honest.

0 Karma

responsys_cm
Builder

The top level dashboard search is:

| inputlookup append=t vulnerabilities_lookup | rangemap field=severity Critical=5-5, High=4-4, Medium=3-3, Low=2-2, Info=0-1 | lookup cve_exploitdb cve_id OUTPUT exploitdb_id

The data fields look like:
_time,dest,hostname,domainname,protocol,dest_port,vuln_id,signature,severity,cve_id,exploitdb_id

I have multiple charts on the page that take the results from the search above and produce reports like:

Top 10 hosts (severity>=3)

For that report, I want to show the top 10 hosts (total count), but display the total in stacked bars by severity.

Make sense?

0 Karma

Ayn
Legend

I think you need to explain more about what info you are getting from where and what your complete search look like. Using a subsearch in a postProcess can be done I guess, but will likely not have the effects you want. Subsearches are commonly used for performing some initial filtering.

0 Karma

responsys_cm
Builder

Actually, I couldn't quite figure out how to implement the subsearch. I should mention this is being done in a dashboard. There is the initial search that appends data from a lookup table, performs two subsequent lookups, and then applies a rangemap to one of the fields.

I then have a PostProcess that does what I showed above. How do I apply a sub-search in that context. I tried:

[search * | top 10 dest | fields dest]

but I get an error saying subsearches only apply to commands. Then I tried

search * [search * | top 10 dest | fields dest ]

That just times out in 60 secs.

0 Karma

responsys_cm
Builder

Thanks, Ayn!

This also worked:

| where severity>=3 | contingency dest,range | search NOT dest=TOTAL | sort -TOTAL | head 10 | fields dest,Medium,High,Critical

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...