Dashboards & Visualizations

Splunk query suggestion

Karthikeya
Path Finder

I am pretty new to Splunk. I have requirement to create dashboard panel which relates our JSESSIONIDs and severity like for specific jsessionID how many critical or error logs present.

Tried using stats and chart not getting desired result may be due to less idea in Splunk. 

Need to present in pictorial way. Please suggest the Splunk query and what type of visualization will fit for this requirement?

Labels (5)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| chart count by JSESSIONID severity

View solution in original post

Praz_123
Path Finder

Hi @Karthikeya 

Will you describe in  more details like what exactly you are looking for .Will you just give sample data so that will help you with the query.

0 Karma

Karthikeya
Path Finder
JSESSIONID 
10002lBNXPR_Jbi4oCjxehcclRZ:1dmii9ro4

100034eQfpxxxHlMxC9DQnU3jJh:1dfvt9oj5

...... 700 count

Severity = Error or Critical

Below is the sample event:

unit_hostname="GBWDC142AD011NHA.systems.uk.fed" support_id="5949818439961942897" vs_name="/f5-tenant-01/DARWIN-GBM-UK-UAT/v-darwin-uat.systems.uk.fed-44" policy_name="/Common/waf-fed-transparent" dest_ip="10.146.97.3" dest_port="443" violations="HTTP protocol compliance failed" sub_violations="HTTP protocol compliance failed:Body in GET or HEAD requests" violation_rating="3" attack_type="HTTP Parser Attack" severity="Error" ####### HTTP REQUEST BEGIN ####### "GET /ICMClient/icm/action/actions.json HTTP/1.1 Host: rwin-uat.systems.uk.fed Connection: keep-alive sec-ch-ua-platform: ""Windows"" X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0 sec-ch-ua: ""Microsoft Edge"";v=""131"", ""Chromium"";v=""131"", ""Not_A Brand"";v=""24"" DNT: 1 Content-Type: application/x-www-form-urlencoded sec-ch-ua-mobile: ?0 Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://darwin-uat.systems.uk.fed/navigator/?desktop=icmUat&feature=Cases&tos=UKUAT_CMTOS2&solution=DWN Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: adUsername=DNc5oBu9KkG0Z9WbdY0YMA; AMToken=W8s9fXK-BZFJwOfUKvHnc1QOiwE.*AAJTSQACMDIAAlNLABxzTGUweUUvUzRRRjZFdDl3Nk8rTlBxbkM4K2s9AAR0eXBlAANDVFMAAlMxAAIwMQ..*; amlbcookie=01; LtpaToken2=tv+zAqV7lpFPFUr8gCWRTnBa+2n6YAaVE4EmZFMyoUQ3KRFFXKYEweRr0q4QwD5aZEb/x9SlmFrQghiQ7ouuQbCJ3wUJ7MTBQvc8O85Q9NQ5IzaJdXNfbSiVsTTJqsww0qprVDSERq+mlE28ZRDuxECH7oD/QpIZoAH5Blk0gNRIfPFOa0e11Ld9CHxwJDtNt3OyqcH0qrKW3b+ieB4mWh+u65GCOyy7EdWhRW6Cryybq/8R7Z6axHE5Gk/8q3PDBxrw/iTvZdB5UXY32wGB8DfYGR4/wc2MsbW5J4MGK8MnYJya/cLzvUJE5clEEmf3P2ef3n0m1lPXC4HartFMo7f/HA2fN0YM78kNLHx78z6EkBnOWI6kUq+EeC+Uz0RsfwoCipLRqdCrhgEofL1wQve9tIHuOrF9sRG62lfmLl67vrYBJDAaDvRE1yC+xLUQfcTfc0bHDxYE2Q9op/DWY6IBOpeZRi4Hmw2nd9R7HzpDB1Jy3HAJPdhEp2bATfPsD2lKYTOCpCcJKGZ3/XEMreEwm970Tz04UZSZ/8MQ86Au+7yVB0WXF+ypFYhXWCWznQfjbdWfKL5u1gxake41N0GdM95XLqydb2JxGQr/V00yqAgu6yh5BNMhhf33rx/I9RxO4jwj/2M3tGjrD0+v5tgVkHVhBA3w7grur118FnAJ7s57A3lDtPjLFjs2w4gZ; JSESSIONID=0000k4OMOHFe-x8tp-F0TmQxoBN:1dmii9ro4; TS01492bb9=0111266d7745aebde115d8e1c57860aa8fb4d2d0645896fc5a6ed9865e53e7eed30bd3d6f3092e028ebe7f89753f63d3e54b8d8646 " ####### HTTP REQUEST END ####### ####### HTTP RESPONSE BEGIN ####### "Response logging disabled" ####### HTTP RESPONSE END ####### response_is_truncated="" ip_client="10.227.31.83" x_forwarded_for_header_value="N/A" method="GET" uri="/ICMClient/icm/action/actions.json" microservice="N/A" query_string="N/A" response_code="200" sig_cves="N/A" sig_ids="N/A" sig_names={N/A} sig_set_names="N/A" staged_sig_cves="N/A" staged_sig_ids="N/A" staged_sig_names="N/A" staged_sig_set_names="N/A" violation_details="<?xml version='1.0' encoding='UTF-8'?> <BAD_MSG> <violation_masks> <block>0-0-0-0</block> <alarm>2400500004500-106200000003e-0-0</alarm> <learn>0-0-0-0</learn> <staging>0-0-0-0</staging> </violation_masks> <request-violations> <violation> <viol_index>14</viol_index> <viol_name>VIOL_HTTP_PROTOCOL</viol_name> <http_sanity_checks_status>64</http_sanity_checks_status> <http_sub_violation_status>64</http_sub_violation_status> <http_sub_violation>Q29udGVudC1UeXBlIGhlYWRlciBpbiBHRVQgcmVxdWVzdA==</http_sub_violation> </violation> </request-violations> </BAD_MSG>"

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this (assuming JSESSIONID and severity are already extracted)

| timechart dc(JSESSIONID) by severity
0 Karma

Karthikeya
Path Finder

I am expecting for a JSESSIONID(s) how many critical and error logs are there and to represent them in visualized manner..

Not in this way. I ran the query you given.

_time Critical Error

2024-12-3000
2024-12-3100
2025-01-0100

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| chart count by JSESSIONID severity

Karthikeya
Path Finder

ok what else fields I can visualize can you please let me know based on the event I have given.

0 Karma

Praz_123
Path Finder

@Karthikeya 

Based on your logs you can fetch data like 
1. For time chart - This shows how violations are trending over time, with separate lines for successes and failures.
| eval violation_type=if(like(violations, "%failed%"), "Failure", "Success")
| timechart span=1h count by violation_type

2. Bar chart - This shows the top 10 attack types by frequency.
| stats count by attack_type
| sort - count
| head 10

3. Pie or bar chart -
This helps you visualize how often each HTTP response code (e.g., 200, 404, 500) is returned.
| stats count by response_code

4. Bar chart - This shows the most frequently accessed URIs, which could help you understand which endpoints are under attack.
| stats count by uri
| sort - count
| head 10

Hope this works 🙂

ITWhisperer
SplunkTrust
SplunkTrust

This is your data - you should understand what you are working with or find someone in your organisation who does!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This is a very open question with many answers, but without a clearer understanding of what you want to get out of your dashboard, it is not easy to say. You could use any of the visualisations available in the dashboards, some would be more effective than other depending on the information you are trying to convey. Perhaps you should start small with a statistics table and present that to your stakeholders and ask them what else they would like to see?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Karthikeya ,

my hint is to follow the Splunk search tutorial ( https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial ), so you'll be able to create your own searches.

then, if you like classical dashboard interface, you can use the Splunk Dashboard Examples app ( https://splunkbase.splunk.com/app/1603 ) even if it's archived, if instead you like Dashboard Studio interface, there are many examples to use, but anyway, you have to start from the Search!

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...