Splunk Dev

Why isn't the following chart query sorting by amount of threats?

Yaichael
Communicator

Good day,

I've have created the following query for displaying the amount of critical threats reported
by device, but it's only sorting by the Total field, and not by the amount of threats in every bar.

tag::critical sourcetype=syslog 
| chart count over device by threat limit=0 usenull=f useother=f
| addtotals
| sort -Total
| fields - Total
| head 5
| rename device as Devices

How do I achieve this?

Thanks!

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Your chart shows count of each threat for each device reporting. Since not all threats are reported from all devices, if you sort by one threat, the sorting order will be different in other threat, so sorting by Total (which your query does) seems like better option. If that's not correct, could you please explain what's your expected output is, possible with some sample example.

0 Karma

Yaichael
Communicator

Thanks for the reply.

My query sorts by the total of threats for each device, which is on the x axis of the chart, but I would like to also sort by the total amount of each individual threat on those devices on the y axis.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You basically want to order the column of each threat for each device based on count value for each threat. The problem is that they appear in the order of listing in the table visualization and listing order applies to all row. If you sort for each device, the column order will vary for each row hence that won't be possible.

See if something like this is acceptable:

 tag::critical sourcetype=syslog 
 | chart count over device by threat limit=0 usenull=f useother=f
 | addtotals
 | sort -Total
 | fields - Total
 | head 5
 | rename device as Devices
 | untable Devices threat count
 | eval Devices=Devices."-".threat | fields - threat
 | sort Devices -count
0 Karma

Yaichael
Communicator

Alright, if it isn't possible, I'll use your query.

Thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...