Splunk query to pull up all my 150 security metric...

ngwodo · ‎12-31-2020

Please I need help with my splunk query below. My query below is only showing just one security metric based on my comparison. I have about 160 security metrics total but only seeing just one. Please I need your help with a splunk query that will show all the 160 security metrics based on my comparison below:

index=security source=base_ad_metric_test_v3 earliest=-1y base_ad_metric>0
| stats avg(base_ad_metric) AS avg stdev(base_ad_metric) AS stdev min(base_ad_metric) AS min max(base_ad_metric) AS max latest(base_ad_metric) AS latest_count BY Metric_ID
| eval min_thres=5000, max_thres=7500

| eval is_above_thres=if(latest_count>max_thres, 1, 0)
| eval is_below_thres=if(latest_count<min_thres, 1, 0)
| eval data_item_volatility=case(is_above_thres==1, "High", is_below_thres==1, "Low", true(), "normal")

| lookup free_metrics.csv Metric_ID output Data_Item_volatility AS spreadsheet_Data_Item_volatility Operating_System_Metric_Calculation AS spreadsheet_Operating_System_Metric_Calculation Metric_Name AS spreadsheet_Metric_Name

ngwodo · ‎01-07-2021

Please see below for the result of the security metric and explanation. The result is showing just one security metric right now. Our data source is from Active directory through AD managewise and is fed into splunk. The csv file is coming from external source in excel spreadsheet. The problem is that the excel spreadsheet has about 150 security metrics and my result is only showing just one metric. I need help with splunk query that will go through all the 150 metrics and do the comparison as seen from the above query and give me the result. Please see the result below:

Metric ID avg stdev min max latest_count data_item_volatility is_above_thres is_below_thres

1 6145.32 330.95 4854 7319 5934 normal 0 0

max_thres min_thres spreadsheet_data_item_volatility spreadsheet_Metric_Name

7500 5000 Low Total # of GFE hardware assets

spreadsheet_Operating_System_Metric_Calculation

5855

to4kawa · ‎01-09-2021

> base_ad_metric>0

This filters out the other Metric_IDs.

Remove it.

to4kawa · ‎12-31-2020

We can't do anything without the query results and their explanations.

ngwodo · ‎01-07-2021

Please see below for the result of the security metric and explanation. The result is showing just one security metric right now. Our data source is from Active directory through AD managewise and is fed into splunk. The csv file is coming from external source in excel spreadsheet. The problem is that the excel spreadsheet has about 150 security metrics and my result is only showing just one metric. I need help with splunk query that will go through all the 150 metrics and do the comparison as seen from the above query and give me the result. Please see the result below:

Metric ID avg stdev min max latest_count data_item_volatility is_above_thres is_below_thres

1 6145.32 330.95 4854 7319 5934 normal 0 0

max_thres min_thres spreadsheet_data_item_volatility spreadsheet_Metric_Name

7500 5000 Low Total # of GFE hardware assets

spreadsheet_Operating_System_Metric_Calculation

5855

Splunk query to pull up all my 150 security metrics based on my comparison threshold of low, normal and high

saved search

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms