Hi,
I have a simple query as below.
index=ABC
| lookup ucmdb "Primary FQDN" as FQDN
| search "Application Type"="Premium"
| stats dc(FQDN) by os, vulnerability_id, FQDN, "Application Type", IP, Organization
| lookup ABC.csv vulnerability_id
| rangemap field=score None=0-0 Low=0.1-3.9 Medium=4.0-6.9 High=7.0-8.9 Critical=9.0-10.0
| fields "Application Type" FQDN IP Organization os score vulnerability_id range
Then I have below query referencing above report:
| stats dc(vulnerability_id) by "Application Type"
| sort by dc(vuln_id) Desc
| rename "Business Element Display Label" AS "Premium Application", dc(vuln_id) AS "Vulnerabilities Count"
| head 20
Results are as expected. Now I want below.
I am trying to chart vulnerabilities count for several applications on column chart with overlay. I want each application to have something like attached that shows me the breakdown of different severities in colors stacked for each application. WHen I go to chart overlay settings, I see range and vulnerabilities choices but it is not producing what I need it to look like in Column chart.
Thanks,
@mbasharat, your range
field seem to have information to apply colors based on range to table cell. However, as per your query seems like range field is not present in the final table.
If stats by "Application Type"
does not give you unique rows, how are you planning to apply range? There may be Applications belonging to different group fall into same range. I am not sure if the following solves your need, but you can perform count of vulnerabilities by range or by range and "Application Type"
<yourBaseSearch>
| stats dc(vulnerability_id) by range
Please provide a sample of your current tabular output and expected output.
Several Table Coloring options are available in Splunk Enterprise version 6.5 or higher. Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsFormatting#Column_color
You can use Simple XML JS and CSS Extension as well to apply any color formatting as per your needs for example Table Row Color based on field/fields values. You can get Splunk Dashboard Examples app for such examples or check out several examples already present on Splunk Answers.
Hi Nikitniley,
I actually know the formatting in table BUT I actually want this in column chart in 100% Stacked form just like in the attached image.
When I tried "by range" instead of application type, it does show multiple columns in column chart showing different ranges and the count BUT I want it simply, Application ABC showing in column chart on x-axis, where one column is in stacked settings for each application showing different levels of severity in colors vertically n y-axis. using "by range" as above or "by Application" work as they should be but not like the way I require.
Thanks,
@mbasharat Sorry I am unable to follow. What is the output you currently have and what is it that you need? Can you add mock up for both?
So, here is my query:
index=ABC
| lookup ucmdb "Primary FQDN" as FQDN
| search "Application Type"="Premium"
| stats dc(FQDN) by os, vulnerability_id, FQDN, "Application Type", IP, Organization
| lookup ABC.csv vulnerability_id
| rangemap field=score None=0-0 Low=0.1-3.9 Medium=4.0-6.9 High=7.0-8.9 Critical=9.0-10.0
| fields "Application Type" FQDN IP Organization os score vulnerability_id range
| stats dc(vulnerability_id) by "Application Type"
| sort by dc(vuln_id) Desc
| rename "Business Element Display Label" AS "Premium Application", dc(vuln_id) AS "Vulnerabilities Count"
| head 20
When column chart populates, it gives me Bars for each application showing Total of vulnerabilities for each application. What I additionally want is that I want to see each application's bar with kind of heatmap showing me breakdown of vulnerabilities count by severity in colors as requested in attached screenshots. I hope I explained it right.
If | stats dc(vulnerability_id) by "Application Type"
is working fine
Can you try following chart instead of stats and confirm?
| chart dc(vulnerability_id) by "Application Type" score
Following is a run anywhere search based on Splunk's _internal index which uses date_seconds instead of vulnerability_id, component instead of "Application Type" and log_level instead of score.
index=_internal sourcetype=splunkd component!="Metrics" AND component!="PeriodicHealthReporter" AND component!="ExecProcessor"
| chart dc(date_second) by component log_level
Please try out and confirm!
When I do | chart dc(vulnerability_id) by "Application Type" score I am getting error that "error in chart command, the output field "score" cannot have the same name as group by field""
But, when I do by range | chart dc(vulnerability_id) by "Application Type" range, I am getting the column charts for each application with the count for each severity and thats good. And then I have done it with 100% stacked mode and that makes it exactly what I was looking for!!
SO the last piece is left here for top 20 ones. When I do below, I am not getting the top 20 values with the highest count ones first.
| chart dc(vulnerability_id) by "Application Type" range
| sort by dc(vuln_id) Desc
| rename "Business Element Display Label" AS "Premium Application", dc(vuln_id) AS "Vulnerabilities Count"
| head 20