Dashboards & Visualizations

how to display pattern tab result in report in dashboard?

cyberportnoc
Explorer

how to display pattern tab result in report in dashboard?
i click save as report and find no option about showing pattern tab result

is there any command equivalent to show the same result as pattern tab

Tags (1)
0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

There is no direct way to display the patterns tab the way it is formatted in the Search and Reporting app in a dashboard.
But... the Patterns tab is produced by running a cluster command under the covers. You can check the _audit index after selecting the patterns tab and you will see something like this (I used a search on the _internal index when selecting patterns):
index=_internal | cluster t=0.3 labelonly=true labelfield=_patterns match=termset | findkeywords labelfield=_patterns dedup=true
You can start here and format the output to satisfy your display needs.

View solution in original post

edoardo_vicendo
Contributor

Just adding one note because I have seen this discussion as I was looking for the same answer.

Going in Settings >> Monitoring Console >> Search >> Activity >> Search Usage Statistics: Instance and then selecting the option "Only Ad Hoc Searches" = NO, you can find the search triggered by Splunk when you click on "Pattern" tab:

| loadjob 1233886270.2 events=true require_finished=false | cluster t=0.8 labelonly=true labelfield=_patterns match=termset | findkeywords labelfield=_patterns dedup=true

this is exactly what is done in the background (where 1233886270.2 is the search job id)

Then if you want to recreate the same result, approximately you have to attach this to your search

| cluster t=0.8 labelonly=t showcount=t labelfield=_patterns match=termset
| findkeywords labelfield=_patterns dedup=true
| search confidence>0
| fields - search
| sort -percentMatched

Just wondering/checking how exactly it is sorting the results, and how is calculating the number of events matched

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

There is no direct way to display the patterns tab the way it is formatted in the Search and Reporting app in a dashboard.
But... the Patterns tab is produced by running a cluster command under the covers. You can check the _audit index after selecting the patterns tab and you will see something like this (I used a search on the _internal index when selecting patterns):
index=_internal | cluster t=0.3 labelonly=true labelfield=_patterns match=termset | findkeywords labelfield=_patterns dedup=true
You can start here and format the output to satisfy your display needs.

cyberportnoc
Explorer

is there any updated in your answer?

after tried to append index=_audit or index=_internal , still can not create the same result as pattern tab

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

I was using the internal index as an example to show you what is being executed under the covers by the patterns tab. You would obviously have to use the index that contains your data for which you want to identify the patterns. Which index contains the data for your sourcetype=access*? That's the one you need to search. If it's searched by default, just remove index=_internal

Your results from 2 days ago were different, because you looked at the patterns tab for a search over your data, but added index=_internal to the search that used the cluster command. The timeframes were slightly different as well.

0 Karma

cyberportnoc
Explorer
0 Karma

cyberportnoc
Explorer

find found no _audit index in pattern tab or search events tab, where is it?

0 Karma

cyberportnoc
Explorer

i append index=_internal or index=_audit

https://drive.google.com/file/d/0Bxs_ao6uuBDUd2xMcXdyY3JkR1E/view?usp=sharing
https://drive.google.com/file/d/0Bxs_ao6uuBDUOWdnYXl3LXhpSzA/view?usp=sharing

but no result

autojoin='1' buckets=300 ttl=600 max_count=500000 maxtime=8640000 enable_lookups='1'

0 Karma
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...