topic Re: Splunk query suggestion in Dashboards & Visualizations

Splunk query suggestion

Karthikeya — Wed, 29 Jan 2025 08:13:13 GMT

I am pretty new to Splunk. I have requirement to create dashboard panel which relates our JSESSIONIDs and severity like for specific jsessionID how many critical or error logs present.

Tried using stats and chart not getting desired result may be due to less idea in Splunk.

Need to present in pictorial way. Please suggest the Splunk query and what type of visualization will fit for this requirement?

Re: Splunk query suggestion

gcusello — Wed, 29 Jan 2025 08:20:35 GMT

Hi @Karthikeya ,

my hint is to follow the Splunk search tutorial ( https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial ), so you'll be able to create your own searches.

then, if you like classical dashboard interface, you can use the Splunk Dashboard Examples app ( https://splunkbase.splunk.com/app/1603 ) even if it's archived, if instead you like Dashboard Studio interface, there are many examples to use, but anyway, you have to start from the Search!

Ciao.

Giuseppe

Re: Splunk query suggestion

ITWhisperer — Wed, 29 Jan 2025 09:12:46 GMT

This is a very open question with many answers, but without a clearer understanding of what you want to get out of your dashboard, it is not easy to say. You could use any of the visualisations available in the dashboards, some would be more effective than other depending on the information you are trying to convey. Perhaps you should start small with a statistics table and present that to your stakeholders and ask them what else they would like to see?

Re: Splunk query suggestion

Praz_123 — Wed, 29 Jan 2025 09:46:25 GMT

Hi @Karthikeya

Will you describe in more details like what exactly you are looking for .Will you just give sample data so that will help you with the query.

Re: Splunk query suggestion

Karthikeya — Wed, 29 Jan 2025 10:44:18 GMT

JSESSIONID

10002lBNXPR_Jbi4oCjxehcclRZ:1dmii9ro4

100034eQfpxxxHlMxC9DQnU3jJh:1dfvt9oj5

...... 700 count

Severity = Error or Critical

Below is the sample event:

unit_hostname="GBWDC142AD011NHA.systems.uk.fed" support_id="5949818439961942897" vs_name="/f5-tenant-01/DARWIN-GBM-UK-UAT/v-darwin-uat.systems.uk.fed-44" policy_name="/Common/waf-fed-transparent" dest_ip="10.146.97.3" dest_port="443" violations="HTTP protocol compliance failed" sub_violations="HTTP protocol compliance failed:Body in GET or HEAD requests" violation_rating="3" attack_type="HTTP Parser Attack" severity="Error" ####### HTTP REQUEST BEGIN ####### "GET /ICMClient/icm/action/actions.json HTTP/1.1 Host: rwin-uat.systems.uk.fed Connection: keep-alive sec-ch-ua-platform: ""Windows"" X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0 sec-ch-ua: ""Microsoft Edge"";v=""131"", ""Chromium"";v=""131"", ""Not_A Brand"";v=""24"" DNT: 1 Content-Type: application/x-www-form-urlencoded sec-ch-ua-mobile: ?0 Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://darwin-uat.systems.uk.fed/navigator/?desktop=icmUat&feature=Cases&tos=UKUAT_CMTOS2&solution=DWN Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: adUsername=DNc5oBu9KkG0Z9WbdY0YMA; AMToken=W8s9fXK-BZFJwOfUKvHnc1QOiwE.*AAJTSQACMDIAAlNLABxzTGUweUUvUzRRRjZFdDl3Nk8rTlBxbkM4K2s9AAR0eXBlAANDVFMAAlMxAAIwMQ..*; amlbcookie=01; LtpaToken2=tv+zAqV7lpFPFUr8gCWRTnBa+2n6YAaVE4EmZFMyoUQ3KRFFXKYEweRr0q4QwD5aZEb/x9SlmFrQghiQ7ouuQbCJ3wUJ7MTBQvc8O85Q9NQ5IzaJdXNfbSiVsTTJqsww0qprVDSERq+mlE28ZRDuxECH7oD/QpIZoAH5Blk0gNRIfPFOa0e11Ld9CHxwJDtNt3OyqcH0qrKW3b+ieB4mWh+u65GCOyy7EdWhRW6Cryybq/8R7Z6axHE5Gk/8q3PDBxrw/iTvZdB5UXY32wGB8DfYGR4/wc2MsbW5J4MGK8MnYJya/cLzvUJE5clEEmf3P2ef3n0m1lPXC4HartFMo7f/HA2fN0YM78kNLHx78z6EkBnOWI6kUq+EeC+Uz0RsfwoCipLRqdCrhgEofL1wQve9tIHuOrF9sRG62lfmLl67vrYBJDAaDvRE1yC+xLUQfcTfc0bHDxYE2Q9op/DWY6IBOpeZRi4Hmw2nd9R7HzpDB1Jy3HAJPdhEp2bATfPsD2lKYTOCpCcJKGZ3/XEMreEwm970Tz04UZSZ/8MQ86Au+7yVB0WXF+ypFYhXWCWznQfjbdWfKL5u1gxake41N0GdM95XLqydb2JxGQr/V00yqAgu6yh5BNMhhf33rx/I9RxO4jwj/2M3tGjrD0+v5tgVkHVhBA3w7grur118FnAJ7s57A3lDtPjLFjs2w4gZ; JSESSIONID=0000k4OMOHFe-x8tp-F0TmQxoBN:1dmii9ro4; TS01492bb9=0111266d7745aebde115d8e1c57860aa8fb4d2d0645896fc5a6ed9865e53e7eed30bd3d6f3092e028ebe7f89753f63d3e54b8d8646 " ####### HTTP REQUEST END ####### ####### HTTP RESPONSE BEGIN ####### "Response logging disabled" ####### HTTP RESPONSE END ####### response_is_truncated="" ip_client="10.227.31.83" x_forwarded_for_header_value="N/A" method="GET" uri="/ICMClient/icm/action/actions.json" microservice="N/A" query_string="N/A" response_code="200" sig_cves="N/A" sig_ids="N/A" sig_names={N/A} sig_set_names="N/A" staged_sig_cves="N/A" staged_sig_ids="N/A" staged_sig_names="N/A" staged_sig_set_names="N/A" violation_details="<?xml version='1.0' encoding='UTF-8'?> <BAD_MSG> <violation_masks> <block>0-0-0-0</block> <alarm>2400500004500-106200000003e-0-0</alarm> <learn>0-0-0-0</learn> <staging>0-0-0-0</staging> </violation_masks> <request-violations> <violation> <viol_index>14</viol_index> <viol_name>VIOL_HTTP_PROTOCOL</viol_name> <http_sanity_checks_status>64</http_sanity_checks_status> <http_sub_violation_status>64</http_sub_violation_status> <http_sub_violation>Q29udGVudC1UeXBlIGhlYWRlciBpbiBHRVQgcmVxdWVzdA==</http_sub_violation> </violation> </request-violations> </BAD_MSG>"

Re: Splunk query suggestion

ITWhisperer — Wed, 29 Jan 2025 11:13:00 GMT

Try something like this (assuming JSESSIONID and severity are already extracted)

| timechart dc(JSESSIONID) by severity

Re: Splunk query suggestion

Karthikeya — Wed, 29 Jan 2025 11:17:41 GMT

I am expecting for a JSESSIONID(s) how many critical and error logs are there and to represent them in visualized manner..

Not in this way. I ran the query you given.

_time Critical Error

2024-12-30	0	0
2024-12-31	0	0
2025-01-01	0	0

Re: Splunk query suggestion

ITWhisperer — Wed, 29 Jan 2025 12:37:17 GMT

| chart count by JSESSIONID severity

Re: Splunk query suggestion

Karthikeya — Wed, 29 Jan 2025 12:42:50 GMT

ok what else fields I can visualize can you please let me know based on the event I have given.

Re: Splunk query suggestion

ITWhisperer — Wed, 29 Jan 2025 12:49:41 GMT

This is your data - you should understand what you are working with or find someone in your organisation who does!

Re: Splunk query suggestion

Praz_123 — Wed, 29 Jan 2025 13:52:58 GMT

@Karthikeya

Based on your logs you can fetch data like
1. For time chart - This shows how violations are trending over time, with separate lines for successes and failures.
| eval violation_type=if(like(violations, "%failed%"), "Failure", "Success")
| timechart span=1h count by violation_type

2. Bar chart - This shows the top 10 attack types by frequency.
| stats count by attack_type
| sort - count
| head 10

3. Pie or bar chart -
This helps you visualize how often each HTTP response code (e.g., 200, 404, 500) is returned.
| stats count by response_code

4. Bar chart - This shows the most frequently accessed URIs, which could help you understand which endpoints are under attack.
| stats count by uri
| sort - count
| head 10

Hope this works 🙂