Dashboards & Visualizations

Top X chart

Path Finder

Hi,

I'm trying to return my top 3 hosts reporting vulnerabilities, in a bar chart stacked by risk. So this means I want host A B and C, because they report say 100 entries each (as opposed to host D and E only reporting 20 each), and then I want to split each host into the Risk numbers that make up the 100.

So far I have;
index="XXX" sourcetype="XXX" source=XXXX Host="10.*" RiskFactor!="None" | chart count BY Host,RiskFactor

This gives me what I want in terms of a stacked chart showing the counts of risk, but I can't seem to return only the top 3.

The search;
index="XXX" sourcetype="XXX" source=XXXX Host="10.*" RiskFactor!="None" | top limit=3 Host | chart count BY Host,RiskFactor

seems to break the chart.

Not sure what i'm doing wrong here.

Any help appreciated.

Thanks
Derek.

Tags (1)

SplunkTrust
SplunkTrust

Try this

index="XXX" sourcetype="XXX" source=XXXX Risk_Factor!="None"
| stats count by Host Risk_Factor | sort Risk_Factor,-count | streamstats count as sno by Risk_Factor | where sno < 4 | fields - sno
0 Karma

Motivator

I think I made a typo in my other answer, and I can't post comments from my workplace for some reason, so here's a new answer. The "host" in the top and fields commands should be capitalized. Also, your Risk_Factor should probably be included in the main search. How about:

search index="XXX" sourcetype="XXX" source=XXXX Risk_Factor!="None"
[search index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None"
    | top 3 Host 
    | fields Host]
| chart count by Host Risk_Factor
0 Karma

Motivator

Sorry, I had it wrong in my earlier answer. There may be a more elegant search to get what you want, but this is what I came up with. Use a subsearch to determine the hosts that you need, then report on the Risk_Factor of those hosts:

search index="XXX" sourcetype="XXX" source=XXXX 
[search index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None"
    | top 3 host 
    | fields host]
| chart count by Host Risk_Factor
0 Karma

Path Finder

Hi, thanks for the help on this. I can't believe i'm having so much trouble.. Neither are working for me unfortunately.

First example gives me null back, and the second tells me that the "search will not match any events".

0 Karma

Motivator

How about something like this:

index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None" 
| top Risk_Factor by Host limit=3 
| fields - percent
| chart values(count) AS count by Host Risk_Factor
0 Karma

Explorer

Maybe you try something like
| sort by -Risk_Factor | head 3

0 Karma

Path Finder

Hi,

No, this just gives me the first three entries that appear on the chart.

Somehow I need to count the number of entries by host, then sort on that field, and then I guess chart and head

It's the counting all entries by the host i'm struggling with I think....

0 Karma

Path Finder

for me works as folowing.
index="XXX" sourcetype="XXX" source=XXXX Host="10.*" RiskFactor!="None"
| stats cont by Risk
Factor
| sort by -Risk_Factor
|head 3
"| some statistic"

.. done, so I'm Know that I'm very late, but it works

0 Karma