Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

display cumulative total and specific group summations on chart

DEAD_BEEF
Builder
‎12-01-2017 01:07 PM

I have anti-virus data and I want to plot the the types of alerts on a chart over time. I want to plot the data such that I can graphically see all virus related alerts compared to all AV alerts (to include the virus count).

Using my current query, I am getting two lines on my chart, Virus and NULL.

Does the 1=1 condition count all cases as true? Or only all that didn't meet the previous cases? I need a count of all alerts to include the Virus.

current query

index=av alert=*
| eval alert_type = case(alert="virus-adware","Virus", alert="pup-virus","Virus", alert="banking-malware","Virus", 1=1,All)
| timechart count by alert_type span=1d

final working query

index=av alert=*
| eval Virus= if(alert="virus-adware" OR alert="pup-virus" OR alert="banking-malware", 1,0) 
| timechart span=1d sum(Virus) as Virus count as All
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-01-2017 01:14 PM

You need to include default case value All in double quotes. Without it, it's trying to assign value of field All which probably doesn't exist in your data (hence NULL).

index=av alert=*
 | eval alert_type = case(alert="virus-adware","Virus", alert="pup-virus","Virus", alert="banking-malware","Virus", 1=1,"All")
 | timechart count by alert_type span=1d

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-01-2017 01:14 PM

You need to include default case value All in double quotes. Without it, it's trying to assign value of field All which probably doesn't exist in your data (hence NULL).

index=av alert=*
 | eval alert_type = case(alert="virus-adware","Virus", alert="pup-virus","Virus", alert="banking-malware","Virus", 1=1,"All")
 | timechart count by alert_type span=1d
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎12-01-2017 01:22 PM

Doh! I totally missed the quotes. That fixed it. Do you know if the 1=1 case is an aggregate of all or only all which do not meet previous case= statements? Reason is that I want to plot virus vs all (to include the virus count). e.g.: if it were 20 out of 100 total alerts rather than 20 and 80 other alerts.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-01-2017 01:30 PM

It'll be for all non-matching events. If you want cumulative, try this variation.

index=av alert=*
  | eval Virus= if(alert="virus-adware" OR alert="pup-virus" OR alert="banking-malware", 1,0) 
  | timechart span=1d sum(Virus) as Virus count as All
0 Karma
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎12-01-2017 01:52 PM

This works, thank you!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-01-2017 01:29 PM

I use true() instead of 1==1 because it is more clear.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...