All Apps and Add-ons

Trouble creating a Pie Chart with URL filtering

DeanDeleon0
Path Finder

Hello all!

I am using the dashboards generated in the Palo Alto Networks App and attempting to divide the http_category (for URL filtering) to group them into specific other categories and then create a Pie Chart of the results. The results of the search add the count of each correctly, but I am unable to how this work "visually".

Basically I want to flag specific "http_category" events as "Good", "Bad", and "Grey area" as an example. So that "Bad" could contain sports, shopping and games, "Good" could contain government, legal and news, etc...

I am able to get correct numbers (by adding them up manually to verify) with this following search:

| tstats  values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url"     """"    log.action="*" GROUPBY _time log.dest_name log.app:category log.http_category log.app log.action log.content_type log.vendor_action | rename log.* AS * | stats sum(eval(http_category="sports" OR http_category="shopping" OR http_category="games")) as bad, sum(eval(http_category="legal" OR http_category="government" OR http_category="news")) as good, sum(eval(http_category="music" OR http_category="religion" OR http_category="media")) as "grey area"

Any suggestions on how I can resolve this or am I looking at this completely wrong? Any help with be very much appreciated.

Thanks,

Dean

0 Karma
1 Solution

btorresgil
Builder

Rather than trying to sum an eval, my suggestion is to create a lookup. The lookup could have two columns: http_category, http_category_verdict

For each http category, set a verdict of good, bad, or gray area. Then, whenever you have results with an http_category field, just pipe to the lookup table:

<rest of search> | lookup your-lookup-table http_category

That will reference the lookup table and add a field called http_category_verdict to each log based on the http category of each log.

Hope that helps!

View solution in original post

0 Karma

btorresgil
Builder

Rather than trying to sum an eval, my suggestion is to create a lookup. The lookup could have two columns: http_category, http_category_verdict

For each http category, set a verdict of good, bad, or gray area. Then, whenever you have results with an http_category field, just pipe to the lookup table:

<rest of search> | lookup your-lookup-table http_category

That will reference the lookup table and add a field called http_category_verdict to each log based on the http category of each log.

Hope that helps!

0 Karma

DeanDeleon0
Path Finder

Thanks! This simplified things.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...