Dashboards & Visualizations

Help with dashboard output

troy44112
Explorer

How would I get from the first output to the final output?

 

code.PNG

 

First OutputFirst OutputFinaloutputFinaloutput

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It's not pretty and may not scale far, but this search converts your input into the desired output.

| makeresults 
| eval systemName="CE", ID="12345-MA-12345", severity="Critical", vulnCount=10 
| append 
    [| makeresults 
    | eval systemName="CE", ID="12345-MA-12345", severity="High", vulnCount=5] 
| append 
    [| makeresults 
    | eval systemName="3E", ID="23456-MA-23456", severity="High", vulnCount=10] 
`comment("Above just creates test data")`
| stats sum(vulnCount) as vulnCount by ID, systemName, severity
`comment("The next two commands reduce the results to 3 fields for xyseries")`
| eval sys=ID."/".systemName
| fields sys, severity, vulnCount
`comment("Re-format the results")`
| xyseries sys severity vulnCount
| fillnull value=0
`comment("The next 2 commands restore the original field names")`
| eval sys=split(sys,"/")
| eval ID=mvindex(sys,0), systemName=mvindex(sys,1)
| table systemName, ID, High, Critical
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust
Please explain more about what you want to accomplish. The three events in the example are all at the same time so the concept of "first" and "last" are a bit ambiguous.
---
If this reply helps you, Karma would be appreciated.
0 Karma

troy44112
Explorer

I would like to use the data in the first photo (dashboard ) to create the second photo (dashboard). 

0 Karma

richgalloway
SplunkTrust
SplunkTrust
That much is plain. What is not clear, however, is the transition from the first photo to the last. How is Splunk to decide which events to display?
---
If this reply helps you, Karma would be appreciated.
0 Karma

troy44112
Explorer

the code for the transition from the first to the last is what I am trying to accomplish.
Displaying systemName, ID total of High and Critical by systemName. I attempted to use eval split function and mvindex but couldn't quite figure it out. 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust
I understand you are looking for code, but we can't provide code until we understand the problem. Can you explain in plain English how to transform the first photo into the last?
Can you please put the example query into a code block instead of an image so we can paste it into our own Splunk for testing?
---
If this reply helps you, Karma would be appreciated.
0 Karma

troy44112
Explorer

I apologize. I don't know how to transform the first photo into the last. I was given the last photo as an example and I am attempting to turn the first photo into the last, that is the reason why I am here. I was hoping that someone would know what it would take to transform the first photo into the last. I do not have the code to do that.

 

here is the code to the first solution

 

| makeresults
| eval systemName="CE", ID="12345-MA-12345", severity="Critical", vulnCount="10"
| append
    [| makeresults
    | eval systemName="CE", ID="12345-MA-12345", severity="High", vulnCount="5"]
| append
    [| makeresults
    | eval systemName="3E", ID="23456-MA-23456", severity="High", vulnCount="10"]

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not pretty and may not scale far, but this search converts your input into the desired output.

| makeresults 
| eval systemName="CE", ID="12345-MA-12345", severity="Critical", vulnCount=10 
| append 
    [| makeresults 
    | eval systemName="CE", ID="12345-MA-12345", severity="High", vulnCount=5] 
| append 
    [| makeresults 
    | eval systemName="3E", ID="23456-MA-23456", severity="High", vulnCount=10] 
`comment("Above just creates test data")`
| stats sum(vulnCount) as vulnCount by ID, systemName, severity
`comment("The next two commands reduce the results to 3 fields for xyseries")`
| eval sys=ID."/".systemName
| fields sys, severity, vulnCount
`comment("Re-format the results")`
| xyseries sys severity vulnCount
| fillnull value=0
`comment("The next 2 commands restore the original field names")`
| eval sys=split(sys,"/")
| eval ID=mvindex(sys,0), systemName=mvindex(sys,1)
| table systemName, ID, High, Critical
---
If this reply helps you, Karma would be appreciated.

troy44112
Explorer

thank you very much

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click an "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...