Dashboards & Visualizations

Top X chart

DerekKing
Path Finder

Hi,

I'm trying to return my top 3 hosts reporting vulnerabilities, in a bar chart stacked by risk. So this means I want host A B and C, because they report say 100 entries each (as opposed to host D and E only reporting 20 each), and then I want to split each host into the Risk numbers that make up the 100.

So far I have;
index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None" | chart count BY Host,Risk_Factor

This gives me what I want in terms of a stacked chart showing the counts of risk, but I can't seem to return only the top 3.

The search;
index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None" | top limit=3 Host | chart count BY Host,Risk_Factor

seems to break the chart.

Not sure what i'm doing wrong here.

Any help appreciated.

Thanks
Derek.

Tags (1)

somesoni2
SplunkTrust
SplunkTrust

Try this

index="XXX" sourcetype="XXX" source=XXXX Risk_Factor!="None"
| stats count by Host Risk_Factor | sort Risk_Factor,-count | streamstats count as sno by Risk_Factor | where sno < 4 | fields - sno
0 Karma

wpreston
Motivator

I think I made a typo in my other answer, and I can't post comments from my workplace for some reason, so here's a new answer. The "host" in the top and fields commands should be capitalized. Also, your Risk_Factor should probably be included in the main search. How about:

search index="XXX" sourcetype="XXX" source=XXXX Risk_Factor!="None"
[search index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None"
    | top 3 Host 
    | fields Host]
| chart count by Host Risk_Factor
0 Karma

wpreston
Motivator

Sorry, I had it wrong in my earlier answer. There may be a more elegant search to get what you want, but this is what I came up with. Use a subsearch to determine the hosts that you need, then report on the Risk_Factor of those hosts:

search index="XXX" sourcetype="XXX" source=XXXX 
[search index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None"
    | top 3 host 
    | fields host]
| chart count by Host Risk_Factor
0 Karma

DerekKing
Path Finder

Hi, thanks for the help on this. I can't believe i'm having so much trouble.. Neither are working for me unfortunately.

First example gives me null back, and the second tells me that the "search will not match any events".

0 Karma

wpreston
Motivator

How about something like this:

index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None" 
| top Risk_Factor by Host limit=3 
| fields - percent
| chart values(count) AS count by Host Risk_Factor
0 Karma

Moritz
Explorer

Maybe you try something like
| sort by -Risk_Factor | head 3

0 Karma

DerekKing
Path Finder

Hi,

No, this just gives me the first three entries that appear on the chart.

Somehow I need to count the number of entries by host, then sort on that field, and then I guess chart and head

It's the counting all entries by the host i'm struggling with I think....

0 Karma

ThomasControlwa
Path Finder

for me works as folowing.
index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None"
| stats cont by Risk_Factor
| sort by -Risk_Factor
|head 3
"| some statistic"

.. done, so I'm Know that I'm very late, but it works

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...