Archive

I want to add multiple search queries from different chart panels into one consolidated chart panel

Engager

Hi,

I want to add multiple search queries from different chart panels into one consolidated chart panel. I am developing a panel for vulnerabilities that will show "New", "Active", "Re-Opened" and "Fixed" vulnerabilities. I can create and display a each search in a seperate chart panel but unable to add them to combine all in a single consolidated chart panel.

My search queries are

New

index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_condition!=false_positive OR vulnerability_condition!=supressed_until OR vulnerability_condition!=supressed_forever OR vulnerability_condition!=supressed_next_scan | dedup 1 vulnerability_name, asset_name | where first_seen=last_seen | top limit=5 linecount

Active

index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_condition!=false_possitive OR vulnerability_condition!=supressed_forever OR vulnerability_condition!=supressed_until OR vulnerability_condition!=supressed_next_scan vulnerability_shielded=false | dedup 1 vulnerability_name, asset_name | top limit=5 linecount

Re-Opened

index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_scan_state=fixed AND vulnerability_scan_state=active | dedup 1 vulnerability_name, asset_name | top limit=5 linecount

Fixed

index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_scan_state=fixed | dedup 1 vulnerability_name, asset_name | top limit=5 linecount

I want to combine all the result data of such search queries into a single chart panel. Can anybody help me out ?

Tags (1)
1 Solution

SplunkTrust
SplunkTrust

You could always use a sub-search to accomplish this.. It may be slow since it's an expensive search so you could always put it in a summary index or scale your infrastructure to account for the expensive search.. Another option would be to have separate panels then have your first panel post-process to the other panels downstream

index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_condition!=false_positive OR vulnerability_condition!=supressed_until OR vulnerability_condition!=supressed_forever OR vulnerability_condition!=supressed_next_scan | dedup 1 vulnerability_name, asset_name | where first_seen=last_seen | top limit=5 linecount [search index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_condition!=false_possitive OR vulnerability_condition!=supressed_forever OR vulnerability_condition!=supressed_until OR vulnerability_condition!=supressed_next_scan vulnerability_shielded=false | dedup 1 vulnerability_name, asset_name | top limit=5 linecount]

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

You could always use a sub-search to accomplish this.. It may be slow since it's an expensive search so you could always put it in a summary index or scale your infrastructure to account for the expensive search.. Another option would be to have separate panels then have your first panel post-process to the other panels downstream

index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_condition!=false_positive OR vulnerability_condition!=supressed_until OR vulnerability_condition!=supressed_forever OR vulnerability_condition!=supressed_next_scan | dedup 1 vulnerability_name, asset_name | where first_seen=last_seen | top limit=5 linecount [search index=ABCD client=XXXX asset_name="$asset$" vulnerability_severity=critical OR vulnerability_severity=high vulnerability_condition!=false_possitive OR vulnerability_condition!=supressed_forever OR vulnerability_condition!=supressed_until OR vulnerability_condition!=supressed_next_scan vulnerability_shielded=false | dedup 1 vulnerability_name, asset_name | top limit=5 linecount]

View solution in original post

0 Karma