topic Re: Top X chart in Dashboards & Visualizations

Top X chart

DerekKing — Mon, 28 Sep 2020 15:53:18 GMT

Hi,

I'm trying to return my top 3 hosts reporting vulnerabilities, in a bar chart stacked by risk. So this means I want host A B and C, because they report say 100 entries each (as opposed to host D and E only reporting 20 each), and then I want to split each host into the Risk numbers that make up the 100.

So far I have;
index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None" | chart count BY Host,Risk_Factor

This gives me what I want in terms of a stacked chart showing the counts of risk, but I can't seem to return only the top 3.

The search;
index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None" | top limit=3 Host | chart count BY Host,Risk_Factor

seems to break the chart.

Not sure what i'm doing wrong here.

Any help appreciated.

Thanks
Derek.

Re: Top X chart

Moritz — Fri, 14 Feb 2014 13:38:56 GMT

Maybe you try something like
| sort by -Risk_Factor | head 3

Re: Top X chart

DerekKing — Fri, 14 Feb 2014 14:37:06 GMT

Hi,

No, this just gives me the first three entries that appear on the chart.

Somehow I need to count the number of entries by host, then sort on that field, and then I guess chart and head

It's the counting all entries by the host i'm struggling with I think....

Re: Top X chart

wpreston — Fri, 14 Feb 2014 15:11:40 GMT

How about something like this:

index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None" 
| top Risk_Factor by Host limit=3 
| fields - percent
| chart values(count) AS count by Host Risk_Factor

Re: Top X chart

wpreston — Fri, 14 Feb 2014 15:25:57 GMT

Sorry, I had it wrong in my earlier answer. There may be a more elegant search to get what you want, but this is what I came up with. Use a subsearch to determine the hosts that you need, then report on the Risk_Factor of those hosts:

search index="XXX" sourcetype="XXX" source=XXXX 
[search index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None"
    | top 3 host 
    | fields host]
| chart count by Host Risk_Factor

Re: Top X chart

DerekKing — Fri, 14 Feb 2014 15:45:35 GMT

Hi, thanks for the help on this. I can't believe i'm having so much trouble.. Neither are working for me unfortunately.

First example gives me null back, and the second tells me that the "search will not match any events".

Re: Top X chart

wpreston — Fri, 14 Feb 2014 16:10:12 GMT

I think I made a typo in my other answer, and I can't post comments from my workplace for some reason, so here's a new answer. The "host" in the top and fields commands should be capitalized. Also, your Risk_Factor should probably be included in the main search. How about:

search index="XXX" sourcetype="XXX" source=XXXX Risk_Factor!="None"
[search index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None"
    | top 3 Host 
    | fields Host]
| chart count by Host Risk_Factor

Re: Top X chart

somesoni2 — Fri, 14 Feb 2014 21:12:40 GMT

Try this

index="XXX" sourcetype="XXX" source=XXXX Risk_Factor!="None"
| stats count by Host Risk_Factor | sort Risk_Factor,-count | streamstats count as sno by Risk_Factor | where sno < 4 | fields - sno

Re: Top X chart

ThomasControlwa — Tue, 29 Sep 2020 16:01:15 GMT

for me works as folowing.
index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None"
| stats cont by Risk_Factor
| sort by -Risk_Factor
|head 3
"| some statistic"

.. done, so I'm Know that I'm very late, but it works