Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How can I describe a splitby/group by component to...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snowmizer
Communicator
12-01-2010
08:14 PM
I have a view that is displaying cumulative port information. One of the charts on the view is a pie chart with the port breakdown. I have set up the code to convert the port the user clicks on to an intention to be passed to a second view.
Code snippet from first view:
<module name="TimeRangePicker" layoutPanel="splSearchControls-inline">
<param name="default">Last 7 days</param>
<param name="searchWhenChanged">true</param>
<module name="ServerSideInclude" layoutPanel="panel_row2_col1" group="BotNet Port Breakdown">
<param name="src">botnetsummaryports.html</param>
<module name="ConvertToIntention">
<param name="settingToConvert">port_setting</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="group">$target$</param>
</param>
</param>
<module name="HiddenSearch" autoRun="True" layoutPanel="panel_row2_col1">
<param name="search">eventtype="BotNet_Traffic" | eval proto_port=protocol." ".dest_port | fields dest_port, protocol, proto_port, dest_ip, botnet_list_type | chart count by dest_port </param>
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="popup">True</param>
<param name="viewTarget">botnet_dashboard_individual_port_breakdown</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
I have the second view set to use a plot intention to create searches that will populate various pie charts and graphs based on the port selected. One graph is a bar graph that will display the destination IPs associated with the port selected on the first view and the count by dest_ip. I have set up the plot intention as followed in the code snippet below. Problem is that I want to do "stats count by dest_ip" not "stats count(dest_ip)".
How can I configure the plot intention so that it does a splitby (or group by)?
<module name="TimeRangePicker" layoutPanel="splSearchControls-inline">
<param name="default">Last 7 days</param>
<param name="searchWhenChanged">true</param>
<module name="StaticContentSample" layoutPanel="panel_row1_col1">
<param name="text"><h1>Botnet Traffic Summary</h1>
<p>
You may click on any value to drill down into the detail of the results. If you press Ctrl-Click the detailed search will open in a new window.
</p>
</param>
</module>
<module name="HiddenIntention" layoutPanel="panel_row2_col1" group="Top 10 Malware Sites for Port">
<param name="intention">
<param name="name">plot</param>
<param name="arg">
<param name="mode">stats</param>
<param name="fields">
<list>
<list>count</list>
<list>dest_ip</list>
</list>
</param>
</param>
</param>
<module name="JobProgressIndicator"></module>
<module name="HiddenChartFormatter">
<param name="chart">bar</param>
<param name="legend.placement">none</param>
<param name="primaryAxisTitle.text">Malware Site</param>
<param name="secondaryAxisTitle.text">Number of Connections</param>
<param name="charting.seriesColors">[0xFF6600]</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">300px</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snowmizer
Communicator
12-01-2010
10:30 PM
Figured this out...
Turns out that when you read the comments in the transform.py module for "plot" there's a description on different arguments and parameters. Here's the code from my second view that made this work. Enjoy!!!!!
<module name="HiddenIntention" layoutPanel="panel_row2_col1" group="Top 10 Malware Sites for Port">
<param name="intention">
<param name="name">plot</param>
<param name="arg">
<param name="mode">top limit=10 dest_ip showperc=f</param>
<param name="fields">
<list>
<list>count</list>
<list>dest_ip</list>
</list>
</param>
<param name="splitby">dest_ip</param>
</param>
</param>
<module name="JobProgressIndicator"></module>
<module name="HiddenChartFormatter">
<param name="chart">bar</param>
<param name="legend.placement">none</param>
<param name="primaryAxisTitle.text">Malware Site</param>
<param name="secondaryAxisTitle.text">Number of Connections</param>
<param name="charting.seriesColors">[0xFF6600]</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">300px</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snowmizer
Communicator
12-01-2010
10:30 PM
Figured this out...
Turns out that when you read the comments in the transform.py module for "plot" there's a description on different arguments and parameters. Here's the code from my second view that made this work. Enjoy!!!!!
<module name="HiddenIntention" layoutPanel="panel_row2_col1" group="Top 10 Malware Sites for Port">
<param name="intention">
<param name="name">plot</param>
<param name="arg">
<param name="mode">top limit=10 dest_ip showperc=f</param>
<param name="fields">
<list>
<list>count</list>
<list>dest_ip</list>
</list>
</param>
<param name="splitby">dest_ip</param>
</param>
</param>
<module name="JobProgressIndicator"></module>
<module name="HiddenChartFormatter">
<param name="chart">bar</param>
<param name="legend.placement">none</param>
<param name="primaryAxisTitle.text">Malware Site</param>
<param name="secondaryAxisTitle.text">Number of Connections</param>
<param name="charting.seriesColors">[0xFF6600]</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">300px</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
piebob
Splunk Employee
12-01-2010
11:53 PM
snowmizer is the best!
Get Updates on the Splunk Community!
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...
Splunk Classroom Chronicles: Training Tales and Testimonials
Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...
Access Tokens Page - New & Improved
Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...
