Solved: Append static data to a field for charting

zhatsispgx · ‎02-28-2019

Hello,

I am trying to append static data to a chart that splunk generates and i'm not sure how to do this with a lookup or anything. The end goal is to have additional x-axis entries (ProjectNames) on my chart with arbitrary values for Severity, alongside the actual real data found in our splunk index. Here is what it currently looks like:

index=myindex
| rename CxXMLResults.@ProjectName as ProjectName
| rename CxXMLResults.@Team as Team
| rename CxXMLResults.Query.Result.@Severity as Severity
| rename CxXMLResults.Query.Result.Path.@PathId as PathId
| eval deduper=md5(Team.ProjectName.PathId)
| dedup deduper
| fillnull value=''
| append [eval ProjectName="MyArbitraryProject"] 
| chart count(Team) over ProjectName by Severity

in the |append [eval ProjectName="MyArbitraryProject"] I Am trying to make a new project called "MyArbitraryProject" that will show up on the X axis, but obviously this doesn't work because I dont have Severity values available for it. Please help! I'm stumped.

zhatsispgx · ‎03-01-2019

Close. Once I discovered | makeresults thanks to @HiroshiSatoh I ended up with this that works

...
| dedup deduper
| fillnull value=''
| append [| makeresults count=1000 | eval ProjectName="MyArbitraryProject" | eval Team="MyTeam" | eval Severity="UNKNOWN" ] 
| chart count(Team) over ProjectName by Severity

View solution in original post

zhatsispgx · ‎03-01-2019

Close. Once I discovered | makeresults thanks to @HiroshiSatoh I ended up with this that works

...
| dedup deduper
| fillnull value=''
| append [| makeresults count=1000 | eval ProjectName="MyArbitraryProject" | eval Team="MyTeam" | eval Severity="UNKNOWN" ] 
| chart count(Team) over ProjectName by Severity

somesoni2 · ‎03-01-2019

Give this a try

index=myindex
 | rename CxXMLResults.@ProjectName as ProjectName
 | rename CxXMLResults.@Team as Team
 | rename CxXMLResults.Query.Result.@Severity as Severity
 | rename CxXMLResults.Query.Result.Path.@PathId as PathId
 | eval deduper=md5(Team.ProjectName.PathId)
 | dedup deduper
 | fillnull value=''
 | chart count(Team) over ProjectName by Severity
 | fillnull value=0
 | append [| makeresults |eval ProjectName="MyArbitraryProject"]
 | fillnull value=500

HiroshiSatoh · ‎02-28-2019

Just want to add one row?

| append [| makeresults |eval ProjectName="MyArbitraryProject",Severity="your Severity"]
| chart count(Team) over ProjectName by Severity

zhatsispgx · ‎03-01-2019

This almost did what I need to.. the Count isn't showing up on the chart though. i.e.

index=checkmarx

CxXMLResults.Query.Result.@state!=1
CxXMLResults.Query.Result.@Severity!=Information
| rename CxXMLResults.@ProjectName as ProjectName
| rename CxXMLResults.@Team as Team
| rename CxXMLResults.Query.Result.@Severity as Severity
| rename CxXMLResults.Query.@name as VulnName
| rename CxXMLResults.Query.Result.Path.@PathId as PathId
| eval deduper=md5(Team.ProjectName.PathId)
| dedup deduper
| fillnull value=''
| append [| makeresults | eval ProjectName="MyArbitraryProject", Severity="High", count=500]
| chart count(Team) over ProjectName by Severity

Append static data to a field for charting

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio