Dashboards & Visualizations

Can you help me make a pie chart with count of two different fields?

abdullahalhabba
Explorer

Hi Splunker;

I have the following search:

| from datamodel:Authentication.Failed_Authentication 
|search action=failure | search (signature="An account failed to log on" OR signature="Failed Login" OR app=gdm-password OR app=sap:http OR app=sshd OR app=su OR app=su-l OR app=sudo OR app=authmgr OR app=cisco:ios OR app=syslog OR app=oracle)  | search  user!=Rutsadmin OR user!=adaudit OR user!=adminaa OR user!=exchRplus OR user!=slomadmin OR user!=splunk OR user!=zakat OR user!=zulfeqar OR user!=zulfi OR user!=zulfiadmin
 | rex field=user  "(?PRutsadmin|adaudit|adminaa|exchRplus|slomadmin|splunk|zakat|zulfeqar|zulfi\w+|zulfi)" | stats count(action) as "count failed normal user" count(user1) as "count failed admin user" | transpose

I need to display count number on pie chart for each "count failed normal user" and "count failed admin user".

I want your support on that.

0 Karma

maciep
Champion

A few things...

First, be sure to put your search in the code blocks here. Otherwise things like the capture group in your regex get stripped out, so we have to guess what was there.

Second, not sure if this search is a work in progress, but the last search command doesn't make a lot of sense from a boolean perspective - combining a bunch of user!=xxx with OR's sort of defeats the purpose doing anything there. Maybe you meant to AND them together....but then that wouldn't really make sense since you seem to want to include admin users in your results.

Third, when wanting to use a pie chart, it's probably easiest to stuff all of the different values you want into one field and then do a stats count against that field.

Again, kinda hard to determine exactly what you're after just based on your search, but maybe something like this will work or get you closer.

| from datamodel:Authentication.Failed_Authentication 
|search action=failure 
| search (signature="An account failed to log on" OR signature="Failed Login" OR app=gdm-password OR app=sap:http OR app=sshd OR app=su OR app=su-l OR app=sudo OR app=authmgr OR app=cisco:ios OR app=syslog OR app=oracle) 
| eval user_type = if(match(user,"Rutsadmin|adaudit|adminaa|exchRplus|slomadmin|splunk|zakat|zulfeqar|zulfi\w+|zulfi"),"admin","normal")
| stats count by user_type
0 Karma

abdullahalhabba
Explorer

Thank you for your reply and clarification;

I need to display on pie chart count failed login for each fields, I don't need display count failed login for each results.

Regards;

0 Karma

maciep
Champion

I don't understand what you're asking for exactly. Can you figure out the search you need based on the example i provided?

I thought you wanted a count based on normal vs admin users. If that's not the case and you need more help, please tell me exactly which fields you need in the pie chart.

0 Karma

abdullahalhabba
Explorer

Thank you;

I have benefited a lot from your search, and after implemented it and added some command for your search for become as the following:

| from datamodel:Authentication.Failed_Authentication
|search action=failure
| search (signature="An account failed to log on" OR signature="Failed Login" OR app=gdm-password OR app=sap:http OR app=sshd OR app=su OR app=su-l OR app=sudo OR app=authmgr OR app=cisco:ios OR app=syslog OR app=oracle)
| eval user_type = if(match(user,"Rutsadmin|adaudit|adminaa|exchRplus|slomadmin|splunk|zakat|zulfeqar|zulfi\w+|zulfi"),"failed admin user","failed normal user")
| stats count by user_type | eval signature_slice = "Count: " + count + ", " + user_type | fields signature_slice count

Now I have another ask, is there way for control color for signature_slice field that has variable results?

0 Karma

maciep
Champion

if this is in a dashboard you should be able to use the charting.seriesColor option for your chart in the simple xml

https://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference

For example:

<option name="charting.seriesColors">[0x6a5c9e, 0x31a35f]</option>
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...