All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to replicate dashboards in the Tenable Network Security PVS App for Splunk?

ccsfdave
Builder
‎05-13-2016 09:03 PM

Greetings,

I am trying to replicate the dashboards found in the Tenable PVS environment. First, this is the dashboard I am after:

alt text

Note the IPs are top 10 and the colors are the severity.

From the data, I have this chart which I think gets me close, but for it to work, I would have to sort by Critical, then by High, then Medium, etc and then take the top 10 IP addresses.

index=pvs | chart count(eval(PVS_risk="CRITICAL")) AS CRITICAL , count(eval(PVS_risk="HIGH")) AS HIGH, count(eval(PVS_risk="MEDIUM")) AS MEDIUM, count(eval(PVS_risk="LOW")) AS LOW, count(eval(PVS_risk="INFO")) AS INFO, count(eval(PVS_risk="NONE")) AS NONE  by src

Can anyone offer any pointers or similar dashboards I may be able to leverage?

BTW, I have the PVS app configured and all the dashes displaying, but I wanted to get ALL of the PVS dashboards into Splunk.

Thanks!

Preview file
14 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mokuso
Explorer
‎05-15-2016 06:19 AM

If you want to sort by severity and not total events, try this:

index=pvs | chart count(eval(PVS_risk="CRITICAL")) AS CRITICAL , count(eval(PVS_risk="HIGH")) AS HIGH, count(eval(PVS_risk="MEDIUM")) AS MEDIUM, count(eval(PVS_risk="LOW")) AS LOW, count(eval(PVS_risk="INFO")) AS INFO, count(eval(PVS_risk="NONE")) AS NONE by src | sort 10 - CRITICAL,HIGH,MEDIUM,LOW,INFO

View solution in original post

Reply
Solved! Jump to solution
Solution

mokuso
Explorer
‎05-15-2016 06:19 AM

If you want to sort by severity and not total events, try this:

index=pvs | chart count(eval(PVS_risk="CRITICAL")) AS CRITICAL , count(eval(PVS_risk="HIGH")) AS HIGH, count(eval(PVS_risk="MEDIUM")) AS MEDIUM, count(eval(PVS_risk="LOW")) AS LOW, count(eval(PVS_risk="INFO")) AS INFO, count(eval(PVS_risk="NONE")) AS NONE by src | sort 10 - CRITICAL,HIGH,MEDIUM,LOW,INFO
Reply
Solved! Jump to solution

ccsfdave
Builder
‎05-15-2016 10:24 AM

I think you got it mokuso. I did some testing with removing variables from the sort and am now sure I understand how it is working. Though the Infos and Nones dwarft the rest of my stats, I could choose to remove those from earlier in the search.

Anyway, thanks so much!

Dave

0 Karma
Reply
Solved! Jump to solution

mokuso
Explorer
‎05-18-2016 05:48 AM

Hi Dave,

The pvs app is due for an update. I'm planning to add several new dashboards and a dedicated index by default. Is there anything else you'd like to see for the next release?

0 Karma
Reply
Solved! Jump to solution

ccsfdave
Builder
‎05-18-2016 08:30 AM

Hi @mokuso

I have replicated all the dashboards in splunk except for the ones that extract the OS and Application. I just couldn't get the regex right. But those two are nice to haves. Anyway, I passed on your question for the next release to the lead on PVS over here and he seems happy with what we have but if you would like to have a more open conversation or like us to beta test, drop me a line at david (dot) geller (at) sfgov (dot) org. OH BTW, on the "replicated" dashboards, I added host, sourcetype (internal or external) and a time picker. So those are improvements on the PVS canned dashes as well.
Thanks,

Dave

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎05-14-2016 05:30 AM

Try this

index=pvs | chart count as requests count(eval(PVS_risk="CRITICAL")) AS CRITICAL , count(eval(PVS_risk="HIGH")) AS HIGH, count(eval(PVS_risk="MEDIUM")) AS MEDIUM, count(eval(PVS_risk="LOW")) AS LOW, count(eval(PVS_risk="INFO")) AS INFO, count(eval(PVS_risk="NONE")) AS NONE by src | sort 10 - requests
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Seamless IT/OT Security: A Hands-On Look at the Cisco Cyber Vision Splunk Add-on

With just a few clicks, you can ingest critical OT asset details, vulnerabilities, baseline deviations, ...