Solved: Changing the color of a certain condition on my Ba...

rkaakaty · ‎06-13-2017

Hi,

Here is my code...

eventtype=qualys_vm_detection_event STATUS!="FIXED"
| fillnull value=- PROTOCOL
| dedup 1 HOST_ID, QID, PROTOCOL, STATUS keepempty=true sortby -_time
| stats list(HOST_ID) as HOST_ID, list(DNS) as Host_Name, list(OS), list(IP) as IP count(HOST_ID) by QID
| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY CATEGORY PATCHABLE CVE CVSS_BASE CVSS_TEMPORAL
| eval CVSS_SCORE = CVSS_BASE + CVSS_TEMPORAL
| rename count(HOST_ID) AS HOSTS
| eval Systemic_Score = CVSS_SCORE*HOSTS
| table QID, Systemic_Score
| sort - Systemic_Score
| head 10

I am basically organizing data in a way where on the X-Axis it is showing the Score and on the Y-Axis the QID. Each of these values are either patchable or unpatchable. I want to make it to where the patchable QIDS are a different color, like green, and the unpatchable, red.

somesoni2 · ‎06-13-2017

Give this a try (Assuming the field PATCHABLE contains values "Yes" OR "No", Update the accordingly)

eventtype=qualys_vm_detection_event STATUS!="FIXED"
| fillnull value=- PROTOCOL 
| dedup 1 HOST_ID, QID, PROTOCOL, STATUS keepempty=true sortby -_time 
| stats count(HOST_ID) as HOSTS by QID 
| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY CATEGORY PATCHABLE CVE CVSS_BASE CVSS_TEMPORAL 
| eval CVSS_SCORE = CVSS_BASE + CVSS_TEMPORAL 
| eval "Systemic_Score(Patchable)" = if(PATCHABLE="Yes",CVSS_SCORE*HOSTS,0)
| eval "Systemic_Score(Unpatchable)" = if(PATCHABLE="No",CVSS_SCORE*HOSTS,0)
| eval Systemic_Score = CVSS_SCORE*HOSTS
| sort - Systemic_Score
| head 10
| table QID, "Systemic_Score(Patchable)" "Systemic_Score(Unpatchable)"

View solution in original post

somesoni2 · ‎06-13-2017

Give this a try (Assuming the field PATCHABLE contains values "Yes" OR "No", Update the accordingly)

eventtype=qualys_vm_detection_event STATUS!="FIXED"
| fillnull value=- PROTOCOL 
| dedup 1 HOST_ID, QID, PROTOCOL, STATUS keepempty=true sortby -_time 
| stats count(HOST_ID) as HOSTS by QID 
| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY CATEGORY PATCHABLE CVE CVSS_BASE CVSS_TEMPORAL 
| eval CVSS_SCORE = CVSS_BASE + CVSS_TEMPORAL 
| eval "Systemic_Score(Patchable)" = if(PATCHABLE="Yes",CVSS_SCORE*HOSTS,0)
| eval "Systemic_Score(Unpatchable)" = if(PATCHABLE="No",CVSS_SCORE*HOSTS,0)
| eval Systemic_Score = CVSS_SCORE*HOSTS
| sort - Systemic_Score
| head 10
| table QID, "Systemic_Score(Patchable)" "Systemic_Score(Unpatchable)"

rkaakaty · ‎06-13-2017

This worked, thank you so much. Do you happen to know how I can change patchable bar to green and unpatchable to red?

somesoni2 · ‎06-13-2017

You would need to update your dashboard xml to include following in your chart element.

<option name="charting.fieldColors">
          {"Systemic_Score(Unpatchable)": 0xFF0000, "Systemic_Score(Patchable)":0x0066FF}
 </option>

For more details, go to below link and search for charting.fieldColors
http://docs.splunk.com/Documentation/Splunk/6.6.1/Viz/ChartConfigurationReference

Changing the color of a certain condition on my Bar Chat

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability