Reporting

Splunk query to pull up all my 150 security metrics based on my comparison threshold of low, normal and high

ngwodo
Path Finder

Please I need help with my splunk query below. My query below is only showing just one security metric based on my comparison. I have about 160 security metrics total but only seeing just one. Please I need your help with  a splunk query that will show all the 160 security metrics based on my comparison below:

 

index=security  source=base_ad_metric_test_v3 earliest=-1y base_ad_metric>0
| stats avg(base_ad_metric) AS avg stdev(base_ad_metric) AS stdev min(base_ad_metric) AS min max(base_ad_metric) AS max latest(base_ad_metric) AS latest_count BY Metric_ID
| eval min_thres=5000, max_thres=7500

| eval is_above_thres=if(latest_count>max_thres, 1, 0)
| eval is_below_thres=if(latest_count<min_thres, 1, 0)
| eval data_item_volatility=case(is_above_thres==1, "High", is_below_thres==1, "Low", true(), "normal")

| lookup free_metrics.csv Metric_ID output Data_Item_volatility AS spreadsheet_Data_Item_volatility Operating_System_Metric_Calculation AS spreadsheet_Operating_System_Metric_Calculation Metric_Name AS spreadsheet_Metric_Name

Labels (1)
Tags (1)
0 Karma

ngwodo
Path Finder

Please see below for the result of the security metric and explanation. The result is showing just one security metric right now. Our data source is from Active directory through AD managewise and is fed into splunk. The csv file is coming from external source in excel spreadsheet. The problem is that the excel spreadsheet has about 150 security metrics and my result is only showing just one metric. I need help with splunk query that will go through all the 150 metrics and do the comparison as seen from the above query and give me the result. Please see the result below:

 

Metric ID   avg         stdev     min  max  latest_count  data_item_volatility  is_above_thres is_below_thres

1               6145.32  330.95   4854 7319    5934                          normal                       0                        0            

 max_thres min_thres spreadsheet_data_item_volatility spreadsheet_Metric_Name

7500               5000                                               Low                Total # of GFE hardware assets

spreadsheet_Operating_System_Metric_Calculation

                                      5855

 

0 Karma

to4kawa
Ultra Champion

base_ad_metric>0

This filters out the other Metric_IDs.

Remove it.

 

0 Karma

to4kawa
Ultra Champion

We can't do anything without the query results and their explanations.

0 Karma

ngwodo
Path Finder

Please see below for the result of the security metric and explanation. The result is showing just one security metric right now. Our data source is from Active directory through AD managewise and is fed into splunk. The csv file is coming from external source in excel spreadsheet. The problem is that the excel spreadsheet has about 150 security metrics and my result is only showing just one metric. I need help with splunk query that will go through all the 150 metrics and do the comparison as seen from the above query and give me the result. Please see the result below:

 

Metric ID   avg         stdev     min  max  latest_count  data_item_volatility  is_above_thres is_below_thres

1               6145.32  330.95   4854 7319    5934                          normal                       0                        0            

 max_thres min_thres spreadsheet_data_item_volatility spreadsheet_Metric_Name

7500               5000                                               Low                Total # of GFE hardware assets

spreadsheet_Operating_System_Metric_Calculation

                                      5855

0 Karma
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...