Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help visualizing a search which contains a main query, then a small subset of the main query and putting this all in one visualization

z432u4kvfkcg
Engager
‎01-24-2020 08:11 AM

Basically, I am trying to visualize all events which match up to the initial query, and provide a bar graph output. Then, I want to perform another query which overlays events that are also "pan_wildfire" events. Here's the query I currently have. It works, but doesn't provide anything meaningful.

index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked | timechart count(action) by date | appendcols [search index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked eventtype = pan_wildfire] | timechart count(action) by date

If I remove everything after the first "timechart", I get the timechart I expect. What I am hoping to accomplish is to show that data, then overlay in a different color the second timechart visualization. I expect this to be a much smaller piece of data, but it's important I show those as well.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-24-2020 12:51 PM

UPDATE

index="paloalto" (src_zone=zoneA OR src_zone=zoneB) app=ssl 
| timechart span=1d count as All_Decrypted_Traffic
,count(eval(flags=decrypted
AND type=THREAT 
AND threat!="MP4 Detected(52104)"
AND action=blocked)) as All_Blocked_count
,count(eval(eventtype="pan_wildfire_malicious")) as Pan_Wildfire_Blocked_count

I think you create 4 counts.

0 Karma
Reply

z432u4kvfkcg
Engager
‎01-24-2020 01:41 PM

Well, I'm trying to show a graph of overall SSL traffic (which is the first part), then a graph showing the decrypted traffic (index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)"), then a final part showing the wildfire events (which is a very small number of things, and this is currently searching via timechart count as All_Blocked_count count(eval(eventtype= pan_wildfire)) as Pan_Wildfire_Blocked_count )

I would like this all as three separate bar charts or line charts- basically, to show the difference between each type of traffic flow. We start with SSL traffic, decrypt a small part of that (and I want to show the threat events found in decrypted traffic), then I finally want to show the wildfire findings in that decrypt traffic.

0 Karma
Reply

niketn
Legend
‎01-24-2020 09:43 AM

@z432u4kvfkcg when your intent is to plot a timechart, the reason to split by date field is not so clear. Also, based on the search you have provided seems like you dont need subsearch appendcols at all. Please try the following:

index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked
| timechart count as All_Blocked_count count(eval(eventtype= pan_wildfire)) as Pan_Wildfire_Blocked_count
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

z432u4kvfkcg
Engager
‎01-24-2020 10:11 AM

So that worked a lot better, but the Pan_wildfire_blocked isn't showing any events, when I know for a fact I have them. I had one today, but it's not showing up anywhere.

I want to show this by date because I want to understand a day-by-day trend for decrypted threat events vs. decrypted threat events which also have the pan_wildfire event type.

0 Karma
Reply

niketn
Legend
‎01-24-2020 10:45 AM

Hi @z432u4kvfkcg eventtype=pan_wildfire exists then the query should work.

Do you get results when you perform the following command:

index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked eventtype=Pan_wildfire

Or what do you see when you run the following:

index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked 
| stats count by eventtype

Also adding span=1d should bucket daily stats for you. For example: | timechart span=1d ............

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

z432u4kvfkcg
Engager
‎01-24-2020 12:04 PM

Ok, one last snag. Now I'm trying to compare both of these to overall SSL traffic in a specific zone. Here's the query, but I'm obviously doing something wrong with how I am nesting the previous two pieces into the new part (which is index="paloalto" src_zone=zoneA OR src_zone=zoneB app=ssl ) because I get this error:
Error in 'timechart' command: The eval expression for dynamic field 'flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked' is invalid. Error='The operator at 'type=THREAT threat!="MP4 Detected(52104)" action=blocked' is invalid.'.

New query:

index="paloalto" src_zone=zoneA OR src_zone=zoneB app=ssl | timechart count as All_Decrypted_Traffic count(eval(flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked)) as Decrypted_Threat | timechart count as All_Blocked_count count(eval(eventtype="pan_wildfire_malicious")) as Pan_Wildfire_Blocked_count

0 Karma
Reply

z432u4kvfkcg
Engager
‎01-24-2020 11:39 AM

Yes, I get results for both. I found out I needed to enclose pan_wildfire in quotes, so it actually needed to be something like threat_category="wildfire" or it never found the events.

Thanks for the help!

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...