Splunk Search

display cumulative total and specific group summations on chart

DEAD_BEEF
Builder

I have anti-virus data and I want to plot the the types of alerts on a chart over time. I want to plot the data such that I can graphically see all virus related alerts compared to all AV alerts (to include the virus count).

Using my current query, I am getting two lines on my chart, Virus and NULL.

Does the 1=1 condition count all cases as true? Or only all that didn't meet the previous cases? I need a count of all alerts to include the Virus.

current query

index=av alert=*
| eval alert_type = case(alert="virus-adware","Virus", alert="pup-virus","Virus", alert="banking-malware","Virus", 1=1,All)
| timechart count by alert_type span=1d

final working query

index=av alert=*
| eval Virus= if(alert="virus-adware" OR alert="pup-virus" OR alert="banking-malware", 1,0) 
| timechart span=1d sum(Virus) as Virus count as All
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You need to include default case value All in double quotes. Without it, it's trying to assign value of field All which probably doesn't exist in your data (hence NULL).

index=av alert=*
 | eval alert_type = case(alert="virus-adware","Virus", alert="pup-virus","Virus", alert="banking-malware","Virus", 1=1,"All")
 | timechart count by alert_type span=1d

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

You need to include default case value All in double quotes. Without it, it's trying to assign value of field All which probably doesn't exist in your data (hence NULL).

index=av alert=*
 | eval alert_type = case(alert="virus-adware","Virus", alert="pup-virus","Virus", alert="banking-malware","Virus", 1=1,"All")
 | timechart count by alert_type span=1d

DEAD_BEEF
Builder

Doh! I totally missed the quotes. That fixed it. Do you know if the 1=1 case is an aggregate of all or only all which do not meet previous case= statements? Reason is that I want to plot virus vs all (to include the virus count). e.g.: if it were 20 out of 100 total alerts rather than 20 and 80 other alerts.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

It'll be for all non-matching events. If you want cumulative, try this variation.

index=av alert=*
  | eval Virus= if(alert="virus-adware" OR alert="pup-virus" OR alert="banking-malware", 1,0) 
  | timechart span=1d sum(Virus) as Virus count as All
0 Karma

DEAD_BEEF
Builder

This works, thank you!

0 Karma

woodcock
Esteemed Legend

I use true() instead of 1==1 because it is more clear.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...