Dashboards & Visualizations

Show two timecharts in one dashboard panel?

tfitzgerald15
Explorer

I'm trying to turn Splunk into my own custom IDS based on the data dumping in from Palo Alto. Right now I have a search that throws back a timechart of the top internal IPs...

sourcetype="pan_threat" log_subtype="spyware" (severity="high" OR "critical") | eval frp_ip=if(dst_zone="trust", dst_ip, src_ip) | timechart count by frp_ip useother=f

That works fantastically. Shows me the top 10 IPs throwing high or critical threat traffic. However, I want to correlate a baseline into it using the trendline command. However, I can't figure out how / where to throw the trendline command to get the desired effect of the trendline overlaying the existing chart. I also don't know how to throw the "period" field, as I don't know what the integer represents. (Seconds? Minutes? Something completely different that won't automatically correlate with time? Can I just throw a command in there for it to find the search window and automatically use that?) However, even when using the following code, it doesn't change my chart at all (threw 5 in there for testing purposes).

sourcetype="pan_threat" log_subtype="spyware" (severity="high" OR "critical") | eval frp_ip=if(dst_zone="trust", dst_ip, src_ip) | timechart count by frp_ip useother=f | trendline sma5(count)

Anyone familiar with this usage that can give me a little advice? I'm far from a RegEx Guru, but if building this IDS myself without XML Edit access has taught me anything, it's the inner workings of RegEx.

-Travis

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

The problem is that your timechart returns result in a table like :
_time ip1 ip2 ip3
2013-09-26 11:00:00 valueA valueB valueC
2013-09-26 11:10:00 valueA valueB valueC
etc...

and your trendline function is looking for a "count" field that doesn't exits anymore ( it has the name of the frp_ip instead)

You could do a specific trendline for a precise ip only.

Or use a general trendline over the total values

sourcetype="pan_threat" log_subtype="spyware" (severity="high" OR "critical") | eval frp_ip=if(dst_zone="trust", dst_ip, src_ip) | timechart count by frp_ip useother=f | addtotals | trendline sma5(Total)

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!