drilldown of pie chart by business unit

payton_tayvion · ‎05-20-2020

I'm currently trying to build a dashboard that would drill down by site name.

Here's an example of the site name: ABC-DEF-PRIV-APJ-AU-SYD.

So the drill-down would be APJ(Region)--> ABC(Business Unit) ---> assets

Could someone point me in the right direction to accomplish this?

Here's a snippet of the code and visualization that I'm getting:

index="lob_data" sourcetype="csv" sitename!="hec*" sitename!="corp*" | where vulnAge > 30 | stats count(IP) as "Total Systems" by sitename,vulnAge

niketn · ‎05-21-2020

@payton_tayvion for the community to assist you better please provide more details on the data and your drilldown use case? Do you want to set three tokens from your site i.e. Region, Business Unit and Asset?
Also what it the breakup for site? In your example ABC-DEF-PRIV-APJ-AU-SYD is first position ABC always Business Unit? Is 4th position APJ always region? Where is asset? What is position 2, 3, 5 and 6?

Seems like you need Simple XML <eval> with split() and mvindex() on $row.site$ to set the required tokens. But we will not be able to assist you better without further details.

On a different note: Second| where seems expensive. move vulnAge to main search. Also for 10K+ results you want to use Pie Chart? Either switch to a different viz or use Trellis Layout.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

payton_tayvion · ‎05-21-2020

yeah so right now I'm focusing on creating a regex that will pull ABC which is the business unit, but when it pulls the business unit I only want it to pull for each business unit.

for example:
there may be multiple ABC units but I only want it to show once on the pie chart

drilldown of pie chart by business unit

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases