Dashboards & Visualizations

How can I describe a splitby/group by component to a plot intention in the XML

snowmizer
Communicator

I have a view that is displaying cumulative port information. One of the charts on the view is a pie chart with the port breakdown. I have set up the code to convert the port the user clicks on to an intention to be passed to a second view.

Code snippet from first view:

<module name="TimeRangePicker" layoutPanel="splSearchControls-inline">
    <param name="default">Last 7 days</param>
    <param name="searchWhenChanged">true</param>
    <module name="ServerSideInclude" layoutPanel="panel_row2_col1" group="BotNet Port Breakdown">
        <param name="src">botnetsummaryports.html</param>
        <module name="ConvertToIntention">
            <param name="settingToConvert">port_setting</param>
            <param name="intention">
                <param name="name">addterm</param>
                <param name="arg">
                    <param name="group">$target$</param>
                </param>
            </param>
            <module name="HiddenSearch" autoRun="True" layoutPanel="panel_row2_col1">
                <param name="search">eventtype="BotNet_Traffic" | eval proto_port=protocol." ".dest_port | fields dest_port, protocol, proto_port, dest_ip, botnet_list_type | chart count by dest_port </param>
                <module name="HiddenChartFormatter">
                    <param name="chart">pie</param>
                    <module name="FlashChart">
                        <param name="width">100%</param>
                        <param name="height">200px</param>
                        <module name="ConvertToDrilldownSearch">
                            <module name="ViewRedirector">
                                <param name="popup">True</param>
                                <param name="viewTarget">botnet_dashboard_individual_port_breakdown</param>
                            </module>
                        </module>
                    </module>
                </module>
            </module>
        </module>
    </module>
</module>

I have the second view set to use a plot intention to create searches that will populate various pie charts and graphs based on the port selected. One graph is a bar graph that will display the destination IPs associated with the port selected on the first view and the count by dest_ip. I have set up the plot intention as followed in the code snippet below. Problem is that I want to do "stats count by dest_ip" not "stats count(dest_ip)".

How can I configure the plot intention so that it does a splitby (or group by)?

<module name="TimeRangePicker" layoutPanel="splSearchControls-inline">
    <param name="default">Last 7 days</param>
    <param name="searchWhenChanged">true</param>
    <module name="StaticContentSample" layoutPanel="panel_row1_col1">
        <param name="text">&lt;h1&gt;Botnet Traffic Summary&lt;/h1&gt;
          &lt;p&gt;  
            You may click on any value to drill down into the detail of the results. If you press Ctrl-Click the detailed search will open in a new window.
          &lt;/p&gt;
        </param>
    </module>
    <module name="HiddenIntention" layoutPanel="panel_row2_col1" group="Top 10 Malware Sites for Port">
        <param name="intention">
            <param name="name">plot</param>
            <param name="arg">
                <param name="mode">stats</param>
                <param name="fields">
                    <list>
                        <list>count</list>
                        <list>dest_ip</list>
                    </list>
                </param>
            </param>
        </param>
        <module name="JobProgressIndicator"></module>
        <module name="HiddenChartFormatter">
            <param name="chart">bar</param>
            <param name="legend.placement">none</param>
            <param name="primaryAxisTitle.text">Malware Site</param>
            <param name="secondaryAxisTitle.text">Number of Connections</param>
            <param name="charting.seriesColors">[0xFF6600]</param>
            <module name="FlashChart">
                <param name="width">100%</param>
                <param name="height">300px</param>
                <module name="ConvertToDrilldownSearch">
                    <module name="ViewRedirector">
                        <param name="viewTarget">flashtimeline</param>
                    </module> 
                </module>
            </module>
        </module>
    </module>
1 Solution

snowmizer
Communicator

Figured this out...

Turns out that when you read the comments in the transform.py module for "plot" there's a description on different arguments and parameters. Here's the code from my second view that made this work. Enjoy!!!!!

   <module name="HiddenIntention" layoutPanel="panel_row2_col1" group="Top 10 Malware Sites for Port">
        <param name="intention">
            <param name="name">plot</param>
            <param name="arg">
                <param name="mode">top limit=10 dest_ip showperc=f</param>
                <param name="fields">
                    <list>
                        <list>count</list>
                        <list>dest_ip</list>
                    </list>
                </param>
                <param name="splitby">dest_ip</param>   
            </param>
        </param>
        <module name="JobProgressIndicator"></module>
        <module name="HiddenChartFormatter">
            <param name="chart">bar</param>
            <param name="legend.placement">none</param>
            <param name="primaryAxisTitle.text">Malware Site</param>
            <param name="secondaryAxisTitle.text">Number of Connections</param>
            <param name="charting.seriesColors">[0xFF6600]</param>
            <module name="FlashChart">
                <param name="width">100%</param>
                <param name="height">300px</param>
                <module name="ConvertToDrilldownSearch">
                    <module name="ViewRedirector">
                        <param name="viewTarget">flashtimeline</param>
                    </module> 
                </module>
            </module>
        </module>
    </module>

View solution in original post

snowmizer
Communicator

Figured this out...

Turns out that when you read the comments in the transform.py module for "plot" there's a description on different arguments and parameters. Here's the code from my second view that made this work. Enjoy!!!!!

   <module name="HiddenIntention" layoutPanel="panel_row2_col1" group="Top 10 Malware Sites for Port">
        <param name="intention">
            <param name="name">plot</param>
            <param name="arg">
                <param name="mode">top limit=10 dest_ip showperc=f</param>
                <param name="fields">
                    <list>
                        <list>count</list>
                        <list>dest_ip</list>
                    </list>
                </param>
                <param name="splitby">dest_ip</param>   
            </param>
        </param>
        <module name="JobProgressIndicator"></module>
        <module name="HiddenChartFormatter">
            <param name="chart">bar</param>
            <param name="legend.placement">none</param>
            <param name="primaryAxisTitle.text">Malware Site</param>
            <param name="secondaryAxisTitle.text">Number of Connections</param>
            <param name="charting.seriesColors">[0xFF6600]</param>
            <module name="FlashChart">
                <param name="width">100%</param>
                <param name="height">300px</param>
                <module name="ConvertToDrilldownSearch">
                    <module name="ViewRedirector">
                        <param name="viewTarget">flashtimeline</param>
                    </module> 
                </module>
            </module>
        </module>
    </module>

piebob
Splunk Employee
Splunk Employee

snowmizer is the best!

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...