https://community.splunk.com/t5/Dashboards-Visualizations/Meaning-of-OSSEC-dashboard-pie-graph-count-values/m-p/69623#M44012 <P>Hi, I just untarred 1.1.84 directly on top of my /opt/splunk/etc/apps/ossec directory (which was 1.1.82) and indeed my dashboard counts look reasonable now. Thanks!</P> Fri, 08 Apr 2011 02:23:43 GMT branchbunch 2011-04-08T02:23:43Z https://community.splunk.com/t5/Dashboards-Visualizations/Meaning-of-OSSEC-dashboard-pie-graph-count-values/m-p/69618#M44007 <P>In the OSSEC dashboard, what do the count values mean for the elements of the various "Top N" pie graphs? For example, at the moment in my "Top Signatures" pie graph, the count value for "Windows Error Event" is 42 but if I click on that element, the search results that come up exceed 250 records. I'm running version 1.1.81 of OSSEC for Splunk 4, on Splunk 4.2.</P> Tue, 29 Mar 2011 09:34:41 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Meaning-of-OSSEC-dashboard-pie-graph-count-values/m-p/69618#M44007 branchbunch 2011-03-29T09:34:41Z https://community.splunk.com/t5/Dashboards-Visualizations/Meaning-of-OSSEC-dashboard-pie-graph-count-values/m-p/69619#M44008 <P>This is a known bug in builds prior to <B>1.1.83</B>.</P> <P>It's showing the top 10 but the results are being clustered/grouped -- e.g., you get the top 10 users, but counting the user only once for a given reporting_host/severity/user. When you drill down, it swaps out the search and you see the full result set.</P> Tue, 29 Mar 2011 21:15:29 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Meaning-of-OSSEC-dashboard-pie-graph-count-values/m-p/69619#M44008 southeringtonp 2011-03-29T21:15:29Z https://community.splunk.com/t5/Dashboards-Visualizations/Meaning-of-OSSEC-dashboard-pie-graph-count-values/m-p/69620#M44009 <P>Thanks for the clarification. So if it was a known bug previous to 1.1.82 then should I expect to see total (no clustered/grouped) alert counts in the "Top N" pie graphs and their respective tables? I'm asking because I just upgraded to 1.1.82 and it seems to look the same as before.</P> Thu, 31 Mar 2011 02:08:22 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Meaning-of-OSSEC-dashboard-pie-graph-count-values/m-p/69620#M44009 branchbunch 2011-03-31T02:08:22Z https://community.splunk.com/t5/Dashboards-Visualizations/Meaning-of-OSSEC-dashboard-pie-graph-count-values/m-p/69621#M44010 <P>Looks like the fix didn't make into the SplunkBase upload. The fix is probably sitting in local -- once I get back to my dev box I'll re-upload and bump the version number.</P> Thu, 31 Mar 2011 07:32:29 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Meaning-of-OSSEC-dashboard-pie-graph-count-values/m-p/69621#M44010 southeringtonp 2011-03-31T07:32:29Z https://community.splunk.com/t5/Dashboards-Visualizations/Meaning-of-OSSEC-dashboard-pie-graph-count-values/m-p/69622#M44011 <P>If you haven't already, can you give the latest build on SplunkBase a try and see if it's still an issue for you?</P> Tue, 05 Apr 2011 20:57:02 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Meaning-of-OSSEC-dashboard-pie-graph-count-values/m-p/69622#M44011 southeringtonp 2011-04-05T20:57:02Z https://community.splunk.com/t5/Dashboards-Visualizations/Meaning-of-OSSEC-dashboard-pie-graph-count-values/m-p/69623#M44012 <P>Hi, I just untarred 1.1.84 directly on top of my /opt/splunk/etc/apps/ossec directory (which was 1.1.82) and indeed my dashboard counts look reasonable now. Thanks!</P> Fri, 08 Apr 2011 02:23:43 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Meaning-of-OSSEC-dashboard-pie-graph-count-values/m-p/69623#M44012 branchbunch 2011-04-08T02:23:43Z