topic Need help visualizing a search which contains a main query, then a small subset of the main query and putting this all in one visualization in Splunk Search

Need help visualizing a search which contains a main query, then a small subset of the main query and putting this all in one visualization

z432u4kvfkcg — Fri, 24 Jan 2020 16:11:29 GMT

Basically, I am trying to visualize all events which match up to the initial query, and provide a bar graph output. Then, I want to perform another query which overlays events that are also "pan_wildfire" events. Here's the query I currently have. It works, but doesn't provide anything meaningful.

index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked | timechart count(action) by date | appendcols [search index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked eventtype = pan_wildfire] | timechart count(action) by date

If I remove everything after the first "timechart", I get the timechart I expect. What I am hoping to accomplish is to show that data, then overlay in a different color the second timechart visualization. I expect this to be a much smaller piece of data, but it's important I show those as well.

Re: Need help visualizing a search which contains a main query, then a small subset of the main query and putting this all in one visualization

niketn — Fri, 24 Jan 2020 17:43:40 GMT

@z432u4kvfkcg when your intent is to plot a timechart, the reason to split by date field is not so clear. Also, based on the search you have provided seems like you dont need subsearch appendcols at all. Please try the following:

index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked
| timechart count as All_Blocked_count count(eval(eventtype= pan_wildfire)) as Pan_Wildfire_Blocked_count

Re: Need help visualizing a search which contains a main query, then a small subset of the main query and putting this all in one visualization

z432u4kvfkcg — Wed, 30 Sep 2020 03:54:53 GMT

So that worked a lot better, but the Pan_wildfire_blocked isn't showing any events, when I know for a fact I have them. I had one today, but it's not showing up anywhere.

I want to show this by date because I want to understand a day-by-day trend for decrypted threat events vs. decrypted threat events which also have the pan_wildfire event type.

Re: Need help visualizing a search which contains a main query, then a small subset of the main query and putting this all in one visualization

niketn — Fri, 24 Jan 2020 18:45:28 GMT

Hi @z432u4kvfkcg eventtype=pan_wildfire exists then the query should work.

Do you get results when you perform the following command:

index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked eventtype=Pan_wildfire

Or what do you see when you run the following:

index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked 
| stats count by eventtype

Also adding span=1d should bucket daily stats for you. For example: | timechart span=1d ............

Re: Need help visualizing a search which contains a main query, then a small subset of the main query and putting this all in one visualization

z432u4kvfkcg — Wed, 30 Sep 2020 03:54:56 GMT

Yes, I get results for both. I found out I needed to enclose pan_wildfire in quotes, so it actually needed to be something like threat_category="wildfire" or it never found the events.

Thanks for the help!

Re: Need help visualizing a search which contains a main query, then a small subset of the main query and putting this all in one visualization

z432u4kvfkcg — Wed, 30 Sep 2020 03:54:58 GMT

Ok, one last snag. Now I'm trying to compare both of these to overall SSL traffic in a specific zone. Here's the query, but I'm obviously doing something wrong with how I am nesting the previous two pieces into the new part (which is index="paloalto" src_zone=zoneA OR src_zone=zoneB app=ssl ) because I get this error:
Error in 'timechart' command: The eval expression for dynamic field 'flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked' is invalid. Error='The operator at 'type=THREAT threat!="MP4 Detected(52104)" action=blocked' is invalid.'.

New query:

index="paloalto" src_zone=zoneA OR src_zone=zoneB app=ssl | timechart count as All_Decrypted_Traffic count(eval(flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked)) as Decrypted_Threat | timechart count as All_Blocked_count count(eval(eventtype="pan_wildfire_malicious")) as Pan_Wildfire_Blocked_count

Re: Need help visualizing a search which contains a main query, then a small subset of the main query and putting this all in one visualization

to4kawa — Fri, 24 Jan 2020 20:51:50 GMT

UPDATE

index="paloalto" (src_zone=zoneA OR src_zone=zoneB) app=ssl 
| timechart span=1d count as All_Decrypted_Traffic
,count(eval(flags=decrypted
AND type=THREAT 
AND threat!="MP4 Detected(52104)"
AND action=blocked)) as All_Blocked_count
,count(eval(eventtype="pan_wildfire_malicious")) as Pan_Wildfire_Blocked_count

I think you create 4 counts.

Re: Need help visualizing a search which contains a main query, then a small subset of the main query and putting this all in one visualization

z432u4kvfkcg — Wed, 30 Sep 2020 03:55:01 GMT

Well, I'm trying to show a graph of overall SSL traffic (which is the first part), then a graph showing the decrypted traffic (index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)"), then a final part showing the wildfire events (which is a very small number of things, and this is currently searching via timechart count as All_Blocked_count count(eval(eventtype= pan_wildfire)) as Pan_Wildfire_Blocked_count )

I would like this all as three separate bar charts or line charts- basically, to show the difference between each type of traffic flow. We start with SSL traffic, decrypt a small part of that (and I want to show the threat events found in decrypted traffic), then I finally want to show the wildfire findings in that decrypt traffic.