Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dashboard to show top non-compliance controls

nehashanker
Explorer
‎10-06-2021 03:19 PM

Greetings All,

I am very new to splunk and am creating a dashboard to show top non-compliances. For the below data, I want to display top non-compliant controls (example output also mentioned below)

Could anyone please let me know how can I write a search query for the same?

Thanks in advance.

 

Event_ID: abc1

Compliance_result: Non-Compliant

Eval_results: {

required_tags: {

compliance: Compliant

}

encryption_enabled:{

compliance: Non-Compliant

}

public_access:{

compliance: Compliant

}

policy_enabled:{

compliance: Compliant

}

}

 

Event_ID: abc2

Compliance_result: Non-Compliant

Eval_results: {

required_tags: {

compliance: Compliant

}

encryption_enabled:{

compliance: Non-Compliant

}

public_access:{

compliance: Non-Compliant

}

policy_enabled:{

compliance: Compliant

}

}

 

Generate Table in the below format -

 

Top Non Compliance controls:

public_access - 2

encryption_enabled -1

 

Labels (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 12:24 AM

Please share the raw events (anonymised of course), not a formatted version, e.g. are your actual event JSON format, or partially, and, if so, is the JSON already extracted into a field? Please use a code block </> to share the raw events so it is more accurate and easier to use

0 Karma
Reply

nehashanker
Explorer
‎10-07-2021 03:29 AM 
additional_metrics: { [+]
   }
   event_id: abc123
   eval_results: { [+]
   }
   compliance_result: Non-Compliant
   timestamp: 2021-10-07 16:27:48.523
   version: jpltest

Upon expanding eval_results - 

eval_results: { [-]
     Required_Tags: { [+]
     }
     Valid_ASV_BA_Tags: { [+]
     }
     check_in_transit_encryption: { [+]
     }
   }

Upon expanding each of the following sections - 

Required_Tags: { [-]
       compliant: Compliant
       controlVersion: 1.0
       evaluationDetails:
       riskRating: Low
     }

Valid_ASV_BA_Tags: { [-]
       compliant: Non-Compliant
       controlVersion: 1.0
       evaluationDetails: Neither the ASV nor BA tag values(case sensitive) were found on the approved list.
       riskRating: Low
     }


check_in_transit_encryption: { [-]
       compliant: Compliant
       controlVersion: 1.0
       evaluationDetails:
       riskRating: Medium
     }

@ITWhisperer Thanks for looking into the issue. Pasted above is the raw event. The event is in json format, which I have got by searching on index name.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 03:38 AM

This isn't JSON - the names and values should have double quotes around them (as appropriate) and the [-]/[+] are format shortcuts to show expanded/collapsed collections.

0 Karma
Reply

nehashanker
Explorer
‎10-07-2021 03:41 AM

@ITWhisperer Sorry for incorrectly mentioning it as json. But the above format is exactly how I get the data.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 03:46 AM

It could still be JSON - what you have shown looks very much like formatted JSON. Try this and see what you get in the _raw field (which is the raw event data)

| table _raw

 

0 Karma
Reply

nehashanker
Explorer
‎10-07-2021 04:03 AM

Here is the response by using | table_raw

 

{“job_id": “abc123”, "gear_event_id": “aaaa”, "event_id": "7cf6-4ff0", "execution_start": "2021-10-06 13:29:31.143", "execution_end": "2021-10-06 13:29:50.104", "gear_version": "3.0.16", "resource_type": ["sns_topic"], "event_status": "SUCCESS", "compliance_result": "Compliant", “evaluation_results": {"Required_Tags": {"compliant": "Compliant", "controlVersion": "1.0", "evaluationDetails": "", "riskRating": "Low",}, "Valid_ASV_BA_Tags": {"compliant": "Compliant", "controlVersion": "1.0", "evaluationDetails": "Neither the ASV nor BA tag values(case sensitive) were found on the approved list.", "riskRating": "Low","}, "check_in_transit_encryption": {"compliant": "Compliant", "controlVersion": "1.0", "evaluationDetails": "", "riskRating": "Medium", }, "correlation_id": "4362-47fb", "service": “biosevent", "timestamp": "2021-10-06 13:29:31.143", "version": "3.0.16", "duration": 18.961}
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 04:20 AM

Some of your double quotes aren't standard double quotes - is this an artefact of your copy/paste or are they really present in the data?

0 Karma
Reply

nehashanker
Explorer
‎10-07-2021 04:22 AM

That is definitely a copy/paste error of using notes.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 05:12 AM

I fixed a few other copy/paste issues and changed one of the compliants to noncompliant

| makeresults 
| eval _raw="{\"job_id\": \"abc123\", \"gear_event_id\": \"aaaa\", \"event_id\": \"7cf6-4ff0\", \"execution_start\": \"2021-10-06 13:29:31.143\", \"execution_end\": \"2021-10-06 13:29:50.104\", \"gear_version\": \"3.0.16\", \"resource_type\": [\"sns_topic\"], \"event_status\": \"SUCCESS\", \"compliance_result\": \"Compliant\", \"evaluation_results\": {\"Required_Tags\": {\"compliant\": \"Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"\", \"riskRating\": \"Low\"}, \"Valid_ASV_BA_Tags\": {\"compliant\": \"Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"Neither the ASV nor BA tag values(case sensitive) were found on the approved list.\", \"riskRating\": \"Low\"}, \"check_in_transit_encryption\": {\"compliant\": \"Non-Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"\", \"riskRating\": \"Medium\" }, \"correlation_id\": \"4362-47fb\", \"service\": \"biosevent\", \"timestamp\": \"2021-10-06 13:29:31.143\", \"version\": \"3.0.16\", \"duration\": 18.961}}" 
| spath evaluation_results 
| spath input=evaluation_results 
| foreach *.compliant 
    [| eval Compliance=if('<<FIELD>>'="Compliant",if(isnull(Compliance),"<<MATCHSEG1>>",mvappend(Compliance,"<<MATCHSEG1>>")),Compliance)
    | eval NonCompliance=if('<<FIELD>>'="Compliant",NonCompliance,if(isnull(NonCompliance),"<<MATCHSEG1>>",mvappend(NonCompliance,"<<MATCHSEG1>>")))]
| top NonCompliance
0 Karma
Reply

nehashanker
Explorer
‎10-08-2021 05:16 AM

Thank you so so much. I just tried it out and gave the exact visualization I was looking for!

Reply

nehashanker
Explorer
‎01-12-2022 02:20 PM

@ITWhisperer  Sorry for opening the old thread again. 

how can I add a new column - gear_name for the below input:
I tried tweaking your query to add a new column but no success. So thought I will ask on this thread again. 

| makeresults 
| eval _raw="{\"job_id\": \"abc123\", \"gear_event_id\": \"aaaa\", \"event_id\": \"7cf6-4ff0\", \"execution_start\": \"2021-10-06 13:29:31.143\", \"execution_end\": \"2021-10-06 13:29:50.104\", \"gear_version\": \"3.0.16\",\"gear_name\": \"sns\", \"resource_type\": [\"sns_topic\"], \"event_status\": \"SUCCESS\", \"compliance_result\": \"Compliant\", \"evaluation_results\": {\"Required_Tags\": {\"compliant\": \"Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"\", \"riskRating\": \"Low\"}, \"Valid_ASV_BA_Tags\": {\"compliant\": \"Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"Neither the ASV nor BA tag values(case sensitive) were found on the approved list.\", \"riskRating\": \"Low\"}, \"check_in_transit_encryption\": {\"compliant\": \"Non-Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"\", \"riskRating\": \"Medium\" }, \"correlation_id\": \"4362-47fb\", \"service\": \"biosevent\", \"timestamp\": \"2021-10-06 13:29:31.143\", \"version\": \"3.0.16\", \"duration\": 18.961}}"

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-12-2022 02:39 PM

I am not sure what you are asking for - the gear_name field doesn't appear affect the previous search

0 Karma
Reply

nehashanker
Explorer
‎01-12-2022 08:33 PM

Sorry for the confusion. I want to display the controlVersion along with the name of the control. 

current output:

NonCompliance(Name)          Count         percentage

 

Expected output:

NonCompliance(Name)          Count         percentage          controlVersion

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-12-2022 11:48 PM

You are going to need to concatenate the control version to the tag name, then split it off afterwards

| makeresults 
| eval _raw="{\"job_id\": \"abc123\", \"gear_event_id\": \"aaaa\", \"event_id\": \"7cf6-4ff0\", \"execution_start\": \"2021-10-06 13:29:31.143\", \"execution_end\": \"2021-10-06 13:29:50.104\", \"gear_version\": \"3.0.16\",\"gear_name\": \"sns\", \"resource_type\": [\"sns_topic\"], \"event_status\": \"SUCCESS\", \"compliance_result\": \"Compliant\", \"evaluation_results\": {\"Required_Tags\": {\"compliant\": \"Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"\", \"riskRating\": \"Low\"}, \"Valid_ASV_BA_Tags\": {\"compliant\": \"Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"Neither the ASV nor BA tag values(case sensitive) were found on the approved list.\", \"riskRating\": \"Low\"}, \"check_in_transit_encryption\": {\"compliant\": \"Non-Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"\", \"riskRating\": \"Medium\" }, \"correlation_id\": \"4362-47fb\", \"service\": \"biosevent\", \"timestamp\": \"2021-10-06 13:29:31.143\", \"version\": \"3.0.16\", \"duration\": 18.961}}"
| spath evaluation_results 
| spath gear_name
| spath input=evaluation_results 
| foreach *.compliant 
    [| eval Compliance=if('<<FIELD>>'="Compliant",if(isnull(Compliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',mvappend(Compliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion')),Compliance)
    | eval NonCompliance=if('<<FIELD>>'="Compliant",NonCompliance,if(isnull(NonCompliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',mvappend(NonCompliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion')))]
| top NonCompliance
| eval controlVersion=mvindex(split(NonCompliance,":"),1)
| eval NonCompliance=mvindex(split(NonCompliance,":"),0)
0 Karma
Reply

nehashanker
Explorer
‎01-13-2022 07:40 AM

Thank you so much for your response. I didn't know that we should concatenate first and then split. This worked, but I am seeing duplicate values (only count and percentages). 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-13-2022 08:23 AM

Is it possible that controlVersion does not exist for all results?

0 Karma
Reply

nehashanker
Explorer
‎01-13-2022 09:31 AM

That may not be the case. All the run's have controlVersion. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-13-2022 10:34 AM

What results are you getting (I don't understand what you mean by duplicates)?

0 Karma
Reply

nehashanker
Explorer
‎02-17-2022 03:17 AM

@ITWhisperer Just checking to see if you had a chance to see the query on why the query to add another column to show RiskRating is not working.

| spath evaluation_results

| spath gear_name

| spath input=evaluation_results
| foreach *.compliant
[| eval Compliance=if('<<FIELD>>'="Compliant",if(isnull(Compliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating', mvappend(Compliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating')),Compliance)
| eval NonCompliance=if('<<FIELD>>'="Compliant",NonCompliance,if(isnull(NonCompliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating', mvappend(NonCompliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating')))]
| top NonCompliance
| eval controlVersion=mvindex(split(NonCompliance,":"),1)
| eval riskRating=mvindex(split(NonCompliance,":"),2)
| eval NonCompliance=mvindex(split(NonCompliance,":"),0)
0 Karma
Reply

nehashanker
Explorer
‎02-08-2022 03:42 AM

Sorry, I was getting repetitive count of some of the values. That seems to be an error in the data.
However, I tried adding a new column and modified the query which you had sent, but seems to be throwing an error. The intention is to show 'Risk Rating'.

| spath evaluation_results
| spath gear_name
| spath input=evaluation_results
| foreach *.compliant
[| eval Compliance=if('<<FIELD>>'="Compliant",if(isnull(Compliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating', mvappend(Compliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating')),Compliance)
| eval NonCompliance=if('<<FIELD>>'="Compliant",NonCompliance,if(isnull(NonCompliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating', mvappend(NonCompliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating')))]
| top NonCompliance
| eval controlVersion=mvindex(split(NonCompliance,":"),1)
| eval riskRating=mvindex(split(NonCompliance,":"),2)
| eval NonCompliance=mvindex(split(NonCompliance,":"),0)

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...