Dashboards & Visualizations

Help with dashboard output

troy44112
Explorer

How would I get from the first output to the final output?

 

code.PNG

 

First OutputFirst OutputFinaloutputFinaloutput

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It's not pretty and may not scale far, but this search converts your input into the desired output.

| makeresults 
| eval systemName="CE", ID="12345-MA-12345", severity="Critical", vulnCount=10 
| append 
    [| makeresults 
    | eval systemName="CE", ID="12345-MA-12345", severity="High", vulnCount=5] 
| append 
    [| makeresults 
    | eval systemName="3E", ID="23456-MA-23456", severity="High", vulnCount=10] 
`comment("Above just creates test data")`
| stats sum(vulnCount) as vulnCount by ID, systemName, severity
`comment("The next two commands reduce the results to 3 fields for xyseries")`
| eval sys=ID."/".systemName
| fields sys, severity, vulnCount
`comment("Re-format the results")`
| xyseries sys severity vulnCount
| fillnull value=0
`comment("The next 2 commands restore the original field names")`
| eval sys=split(sys,"/")
| eval ID=mvindex(sys,0), systemName=mvindex(sys,1)
| table systemName, ID, High, Critical
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust
Please explain more about what you want to accomplish. The three events in the example are all at the same time so the concept of "first" and "last" are a bit ambiguous.
---
If this reply helps you, Karma would be appreciated.
0 Karma

troy44112
Explorer

I would like to use the data in the first photo (dashboard ) to create the second photo (dashboard). 

0 Karma

richgalloway
SplunkTrust
SplunkTrust
That much is plain. What is not clear, however, is the transition from the first photo to the last. How is Splunk to decide which events to display?
---
If this reply helps you, Karma would be appreciated.
0 Karma

troy44112
Explorer

the code for the transition from the first to the last is what I am trying to accomplish.
Displaying systemName, ID total of High and Critical by systemName. I attempted to use eval split function and mvindex but couldn't quite figure it out. 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust
I understand you are looking for code, but we can't provide code until we understand the problem. Can you explain in plain English how to transform the first photo into the last?
Can you please put the example query into a code block instead of an image so we can paste it into our own Splunk for testing?
---
If this reply helps you, Karma would be appreciated.
0 Karma

troy44112
Explorer

I apologize. I don't know how to transform the first photo into the last. I was given the last photo as an example and I am attempting to turn the first photo into the last, that is the reason why I am here. I was hoping that someone would know what it would take to transform the first photo into the last. I do not have the code to do that.

 

here is the code to the first solution

 

| makeresults
| eval systemName="CE", ID="12345-MA-12345", severity="Critical", vulnCount="10"
| append
    [| makeresults
    | eval systemName="CE", ID="12345-MA-12345", severity="High", vulnCount="5"]
| append
    [| makeresults
    | eval systemName="3E", ID="23456-MA-23456", severity="High", vulnCount="10"]

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not pretty and may not scale far, but this search converts your input into the desired output.

| makeresults 
| eval systemName="CE", ID="12345-MA-12345", severity="Critical", vulnCount=10 
| append 
    [| makeresults 
    | eval systemName="CE", ID="12345-MA-12345", severity="High", vulnCount=5] 
| append 
    [| makeresults 
    | eval systemName="3E", ID="23456-MA-23456", severity="High", vulnCount=10] 
`comment("Above just creates test data")`
| stats sum(vulnCount) as vulnCount by ID, systemName, severity
`comment("The next two commands reduce the results to 3 fields for xyseries")`
| eval sys=ID."/".systemName
| fields sys, severity, vulnCount
`comment("Re-format the results")`
| xyseries sys severity vulnCount
| fillnull value=0
`comment("The next 2 commands restore the original field names")`
| eval sys=split(sys,"/")
| eval ID=mvindex(sys,0), systemName=mvindex(sys,1)
| table systemName, ID, High, Critical
---
If this reply helps you, Karma would be appreciated.

troy44112
Explorer

thank you very much

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click an "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...