topic Re: How do I create multiple Null values for an existing field? in Splunk Search

How do I create multiple null values for an existing field?

capilarity — Mon, 01 Aug 2022 16:28:51 GMT

I have a search that counts the vulnerabilities for a given team and places them on a Bar chart on a dashboard based on the "Risk" field to display how many Critical, High, medium or low events.

Problem I have is that not all teams have all 4 levels of vulnerabilities so the graphs look a bit rubbish. Some only have one level, others have 3 or 4 and the graphs only show the vulnerabilities that have a value

I would like to always have Critical, High, Medium AND Low on the x-axis for every team even though the value for these may be Zero.

For example, if a team has 5 Mediums, the graph only shows one bar.

How to I create a Bar chart that shows:

Critical =0
High=0
Medium =5
Low=0

Thanks

Re: How do I create multiple Null values for an existing field?

richgalloway — Mon, 01 Aug 2022 15:51:09 GMT

You may be able to use the fillnull command. However, the way that works best for you depends on how the fields are generated so please share the SPL.

Re: How do I create multiple Null values for an existing field?

ITWhisperer — Mon, 01 Aug 2022 16:21:57 GMT

Does this work for you?

| chart count by team vulnerability

Re: How do I create multiple Null values for an existing field?

capilarity — Tue, 02 Aug 2022 08:04:21 GMT

Thanks for the suggestion.

Each dashboard reports on only one team via a dropdown option on a form, and we are counting the number of Risks per risk level so I've used:

| chart count by Risk

From the example data I posted, this command produces the same result. I need some way of defining all 4 risk levels even though there count is zero

Re: How do I create multiple Null values for an existing field?

capilarity — Tue, 02 Aug 2022 08:29:25 GMT

I have tried to use the fillnull command, but with no success.

Each vulnerability record contains an identifier (ID) and a risk level (Risk)

The graph needs to show the number of each risk level where the vulnerability identifier (ID) has been reported for more than 4 weeks so the spl is:

team=teamname | stats count AS weeks by ID, Risk | where weeks>4 | chart count by Risk

Thanks

Re: How do I create multiple Null values for an existing field?

ITWhisperer — Tue, 02 Aug 2022 08:56:36 GMT

Re: How do I create multiple Null values for an existing field?

capilarity — Tue, 02 Aug 2022 08:59:40 GMT

PERFECT!!!

Thanks for your help

Re: How do I create multiple Null values for an existing field?

yuanliu — Tue, 02 Aug 2022 09:09:11 GMT

I am curious: If you are displaying bar charts for all these teams, why the chart command only groups by Risk?

| chart over team by Risk

should populate 0 into teams where that particular Risk level is missing. If you want teams to chart separately, you can use trellis in visualization, and split by team.