Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How do I visualize changes to data from a sour...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I visualize changes to data from a sourcetype over time?
I'm trying to make a dashboard to visualize nessus vulnerability data over time. For example, let's assume I run a vulnerability scan and get the following results (each line is a separate event):
results|192.168.1|192.168.1.100|epmap (135/tcp) results|192.168.1|192.168.1.100|netbios-ssn (139/tcp) results|192.168.1|192.168.1.100|rtsp (554/tcp) results|192.168.1|192.168.1.100|nessus (1241/tcp) results|192.168.1|192.168.1.100|http (8834/tcp)
Let's assume I disable nessus and the web server and the next time I scan I get the following results:
results|192.168.1|192.168.1.100|epmap (135/tcp) results|192.168.1|192.168.1.100|netbios-ssn (139/tcp) results|192.168.1|192.168.1.100|rtsp (554/tcp
If I want to create a chart that shows the number of results over time, how do I do that? How do I make the chart dynamically account for the fact that I may run the scan at variable time intervals (daily, weekly, monthly)?
Thanks.
Craig
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you are producing nessus report files that are small enough that it takes Splunk less than a minute to index, and you're generating nessus reports less frequently than that interval, you should be able to use timechart for this purpose.
yoursearch | timechart span=1m count
You can feed this data into something like a line chart and configure it to connect non-null values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's a bit trickier but can be done. Assuming you want to check the timestamp of the last event and then see all the other events in the preceding minute this search would work:
- [yoursearch | head 1 | eval searchinterval=_time-60 | eval search="_time>" . searchinterval | fields search]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!
What search do I need to use if I want to show all of the events with the most recent timestamp?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
