topic How can I do a graph with multiple data? in Splunk Enterprise Security

How can I do a graph with multiple data?

christianubeda — Thu, 09 Aug 2018 11:26:36 GMT

Hi team!

It's my very first time here and I need a bit of help!

I want to make a graph with multiple lanes.

I have this right now. 1 graph per data. I want to fusion them but I don't know how.

Graph 1.

index=xxx_paloalto sourcetype="pan:threat"  type=threat threat_name="SCAN: TCP Port Scan(8001)"
 (src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2")
 (dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") 
 src_ip != xxx
| stats by src_ip, dest_ip, _time
 | bin  _time span=1d
 | stats count by _time

Graph 2

index=xxx_paloalto sourcetype="pan:threat"  type=threat threat_name="SCAN: Host Sweep(8002)"
 (src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2")
 (dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") 
 src_ip != xxx
| stats by src_ip, dest_ip, _time
 | bin  _time span=1d
 | stats count by _time

Thanks!

Re: How can I do a graph with multiple data?

kmorris_splunk — Tue, 29 Sep 2020 20:50:16 GMT

Give this a try. I am assuming you want a line for each combination of src_ip, dest_ip, and threat_name based on your search above. By the way, you are missing a function in your stats command. Something like count, avg, min, max, etc... Either way, I created a field that concatenates the src_ip, dest_ip, and threat_name so you can get a line for each in a line graph for example. I hope this helps.

index=xxx_paloalto sourcetype="pan:threat" type=threat (threat_name="SCAN: TCP Port Scan(8001)” OR threat_name=“SCAN: Host Sweep(8002)”)
(src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2")
(dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") 
src_ip != xxx
| eval byfield=src_ip . "," . dest_ip . "," . threat_name
| bin _time span=1d
| chart count over _time by byfield