topic Overlay/Heatmap Bar Chart in Splunk Dev

Overlay/Heatmap Bar Chart

mbasharat — Tue, 29 Sep 2020 20:45:12 GMT

Hi,

I have a simple query as below.

Then I have below query referencing above report:

| stats dc(vulnerability_id) by "Application Type"
| sort by dc(vuln_id) Desc
| rename "Business Element Display Label" AS "Premium Application", dc(vuln_id) AS "Vulnerabilities Count"
| head 20

Results are as expected. Now I want below.

I am trying to chart vulnerabilities count for several applications on column chart with overlay. I want each application to have something like attached that shows me the breakdown of different severities in colors stacked for each application. WHen I go to chart overlay settings, I see range and vulnerabilities choices but it is not producing what I need it to look like in Column chart.

Thanks,

Re: Overlay/Heatmap Bar Chart

niketn — Tue, 31 Jul 2018 03:31:34 GMT

@mbasharat, your range field seem to have information to apply colors based on range to table cell. However, as per your query seems like range field is not present in the final table.

If stats by "Application Type" does not give you unique rows, how are you planning to apply range? There may be Applications belonging to different group fall into same range. I am not sure if the following solves your need, but you can perform count of vulnerabilities by range or by range and "Application Type"

<yourBaseSearch>
| stats dc(vulnerability_id) by range

Please provide a sample of your current tabular output and expected output.

Several Table Coloring options are available in Splunk Enterprise version 6.5 or higher. Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsFormatting#Column_color

You can use Simple XML JS and CSS Extension as well to apply any color formatting as per your needs for example Table Row Color based on field/fields values. You can get Splunk Dashboard Examples app for such examples or check out several examples already present on Splunk Answers.

Re: Overlay/Heatmap Bar Chart

mbasharat — Tue, 31 Jul 2018 12:50:16 GMT

Hi Nikitniley,

I actually know the formatting in table BUT I actually want this in column chart in 100% Stacked form just like in the attached image.

When I tried "by range" instead of application type, it does show multiple columns in column chart showing different ranges and the count BUT I want it simply, Application ABC showing in column chart on x-axis, where one column is in stacked settings for each application showing different levels of severity in colors vertically n y-axis. using "by range" as above or "by Application" work as they should be but not like the way I require.

Thanks,

Re: Overlay/Heatmap Bar Chart

niketn — Tue, 31 Jul 2018 17:34:26 GMT

@mbasharat Sorry I am unable to follow. What is the output you currently have and what is it that you need? Can you add mock up for both?

Re: Overlay/Heatmap Bar Chart

mbasharat — Tue, 29 Sep 2020 20:45:56 GMT

So, here is my query:

index=ABC
| lookup ucmdb "Primary FQDN" as FQDN
| search "Application Type"="Premium"
| stats dc(FQDN) by os, vulnerability_id, FQDN, "Application Type", IP, Organization
| lookup ABC.csv vulnerability_id
| rangemap field=score None=0-0 Low=0.1-3.9 Medium=4.0-6.9 High=7.0-8.9 Critical=9.0-10.0
| fields "Application Type" FQDN IP Organization os score vulnerability_id range
| stats dc(vulnerability_id) by "Application Type"
| sort by dc(vuln_id) Desc
| rename "Business Element Display Label" AS "Premium Application", dc(vuln_id) AS "Vulnerabilities Count"
| head 20

When column chart populates, it gives me Bars for each application showing Total of vulnerabilities for each application. What I additionally want is that I want to see each application's bar with kind of heatmap showing me breakdown of vulnerabilities count by severity in colors as requested in attached screenshots. I hope I explained it right.

Re: Overlay/Heatmap Bar Chart

niketn — Tue, 29 Sep 2020 20:46:05 GMT

If | stats dc(vulnerability_id) by "Application Type" is working fine
Can you try following chart instead of stats and confirm?

| chart dc(vulnerability_id) by "Application Type" score

Following is a run anywhere search based on Splunk's _internal index which uses date_seconds instead of vulnerability_id, component instead of "Application Type" and log_level instead of score.

index=_internal sourcetype=splunkd component!="Metrics" AND component!="PeriodicHealthReporter" AND component!="ExecProcessor"
| chart dc(date_second) by component log_level

Please try out and confirm!

Re: Overlay/Heatmap Bar Chart

mbasharat — Tue, 29 Sep 2020 20:46:20 GMT

When I do | chart dc(vulnerability_id) by "Application Type" score I am getting error that "error in chart command, the output field "score" cannot have the same name as group by field""

But, when I do by range | chart dc(vulnerability_id) by "Application Type" range, I am getting the column charts for each application with the count for each severity and thats good. And then I have done it with 100% stacked mode and that makes it exactly what I was looking for!!

SO the last piece is left here for top 20 ones. When I do below, I am not getting the top 20 values with the highest count ones first.

| chart dc(vulnerability_id) by "Application Type" range
| sort by dc(vuln_id) Desc
| rename "Business Element Display Label" AS "Premium Application", dc(vuln_id) AS "Vulnerabilities Count"
| head 20