Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with a search which would return the sum of multiple count values?

Tylerdygert
Path Finder
‎09-25-2018 08:46 AM

Hello,

I am trying to create a dashboard for Splunk Enterprise Security to track incident response. I have a search that spits out a count of all incidents over a 30d period of time. I want to combine some of these events into values indicative of the product that triggers these events. Here is my base search: 

| `incident_review` | where _time >= relative_time(now(), "-30d@d") | stats count by rule_name

That search spits out the following results:

rule_name                                count
Cylance Threats                       150
Cylance Exploit Event              28
Account Deleted                       9
Excessive Failed Logins           14

I want to combine the count value for Cylance Threats and Cylance Exploit Event into one total named Cylance and also combine Account Deleted and Excessive Failed logins into one total named AD_Events.

I have tried the eval coalesce command, sum(count) commands, and rename commands as well. I cant seem to get this to work, if anyone could provide some help it would be greatly appreciated. Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎09-25-2018 08:58 AM

you need to modify your rule_nameincident_review | where _time >= relative_time(now(), "-30d@d") | eval rule_name=if(rule_name="Cylance Threats" OR rule_name="Cylance Exploit Event","Cyclane", rule_name)|stats count by rule_name

If this gives you the expected count for cyclane all you need to do is modify the eval for the AD_Events use case

View solution in original post

Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎09-25-2018 08:58 AM

you need to modify your rule_nameincident_review | where _time >= relative_time(now(), "-30d@d") | eval rule_name=if(rule_name="Cylance Threats" OR rule_name="Cylance Exploit Event","Cyclane", rule_name)|stats count by rule_name

If this gives you the expected count for cyclane all you need to do is modify the eval for the AD_Events use case

Reply
Solved! Jump to solution

Tylerdygert
Path Finder
‎09-25-2018 09:00 AM

That worked! Thanks!
How would I go about doing this multiple times in one search? So I can create a Cylance total, AD_Events total, and a Network_Events total all in one search for example.

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎09-25-2018 09:10 AM

you can do it in one eval...I am now including the one for AD_Events
| eval rule_name=if(rule_name="Cylance Threats" OR rule_name="Cylance Exploit Event","Cyclane", if(rule_name="Account Deleted" OR rule_name="Excessive Failed Logins","AD_Events",rule_name))

Works like an excel IF statement

0 Karma
Reply
Solved! Jump to solution

Tylerdygert
Path Finder
‎09-25-2018 09:17 AM

Great! Thank you for you help!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...