Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

A chart (of tstat/ counts) of the content that was bookmarked. for the past 7 days

Amadou
Loves-to-Learn
‎07-04-2024 12:44 PM

Hello Can you help me Creating a dashboard that contains the following charts/data:

                     Bookmarked content

    1. A chart (of tstat/ counts) of the content that was bookmarked. for the past 7 days
    2. A chart with the names of the alerts/detections that were bookmarked for the past 30 days  Analso in this situation how to find your filed name in your splunk: bookmarked, bookmark I use both of them in my query but it still not working or we should use ''active'' please propose me a query.                  help me find the exact field name in order to create the exact query. Thank you. 
Labels (1)
Labels
0 Karma
Reply

Amadou
Loves-to-Learn
‎07-04-2024 12:59 PM

I mean the content i have mapped in my mitre attack in the last 7 days.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2024 12:49 PM

What is bookmarked data? Please share some anonymised, representative sample events showing the event data you are working with, and a representation of your expected results.

Tags (1)
0 Karma
Reply

Amadou
Loves-to-Learn
‎07-04-2024 01:20 PM

@ITWhisperer

can i created a meeting with you tomorrow?

THANKS

 

0 Karma
Reply

Amadou
Loves-to-Learn
‎07-04-2024 01:17 PM

build a search query that captures the desired data. Assuming that the bookmarked content is logged with an event type or field that specifies when content is bookmarked (e.g., action = "bookmark"),

 

here's a query you could use:

 

| tstats count where index="your_index" sourcetype="your_sourcetype" action="bookmark" earliest=-7d@d latest=now by content
| rename content as "Content", count as "Bookmark Count"

but having problem to find the exact field name.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...