Splunk query to pull up all my 160 security metrics based on my comparison threshold of low, normal and high

Path Finder

Please I need help with my splunk query below. My query below is only showing just one security metric based on my comparison. I have about 160 security metrics total but only seeing just one. Please I need your help with a splunk query that will show all the 160 security metrics based on my comparison below:


index=security source=base_ad_metric_test_v3 earliest=-1y base_ad_metric>0
| stats avg(base_ad_metric) AS avg stdev(base_ad_metric) AS stdev min(base_ad_metric) AS min max(base_ad_metric) AS max latest(base_ad_metric) AS latest_count BY Metric_ID
| eval min_thres=5000, max_thres=7500

| eval is_above_thres=if(latest_count>max_thres, 1, 0)
| eval is_below_thres=if(latest_count<min_thres, 1, 0)
| eval data_item_volatility=case(is_above_thres==1, "High", is_below_thres==1, "Low", true(), "normal")

| lookup free_metrics.csv Metric_ID output Data_Item_volatility AS spreadsheet_Data_Item_volatility Operating_System_Metric_Calculation AS spreadsheet_Operating_System_Metric_Calculation Metric_Name AS spreadsheet_Metric_Name

Please see below for the result of the security metric and explanation. The result is showing just one security metric right now. Our data source is from Active directory through AD managewise and is fed into splunk. The csv file is coming from external source in excel spreadsheet. The problem is that the excel spreadsheet has about 150 security metrics and my result is only showing just one metric. I need help with splunk query that will go through all the 150 metrics and do the comparison as seen from the above query and give me the result. Please see the result below:


Metric ID avg stdev min max latest_count data_item_volatility is_above_thres is_below_thres

1 6145.32 330.95 4854 7319 5934 normal 0 0

max_thres min_thres spreadsheet_data_item_volatility spreadsheet_Metric_Name

7500 5000 Low Total # of GFE hardware assets



Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...