Splunk Enterprise Security

Can you help me with a search which would return the sum of multiple count values?

Tylerdygert
Path Finder

Hello,

I am trying to create a dashboard for Splunk Enterprise Security to track incident response. I have a search that spits out a count of all incidents over a 30d period of time. I want to combine some of these events into values indicative of the product that triggers these events. Here is my base search:

| `incident_review` | where _time >= relative_time(now(), "-30d@d") | stats count by rule_name

That search spits out the following results:

rule_name                                count
Cylance Threats                       150
Cylance Exploit Event              28
Account Deleted                       9
Excessive Failed Logins           14

I want to combine the count value for Cylance Threats and Cylance Exploit Event into one total named Cylance and also combine Account Deleted and Excessive Failed logins into one total named AD_Events.

I have tried the eval coalesce command, sum(count) commands, and rename commands as well. I cant seem to get this to work, if anyone could provide some help it would be greatly appreciated. Thanks!

0 Karma
1 Solution

Sukisen1981
Champion

you need to modify your rule_nameincident_review | where _time >= relative_time(now(), "-30d@d") | eval rule_name=if(rule_name="Cylance Threats" OR rule_name="Cylance Exploit Event","Cyclane", rule_name)|stats count by rule_name

If this gives you the expected count for cyclane all you need to do is modify the eval for the AD_Events use case

View solution in original post

Sukisen1981
Champion

you need to modify your rule_nameincident_review | where _time >= relative_time(now(), "-30d@d") | eval rule_name=if(rule_name="Cylance Threats" OR rule_name="Cylance Exploit Event","Cyclane", rule_name)|stats count by rule_name

If this gives you the expected count for cyclane all you need to do is modify the eval for the AD_Events use case

Tylerdygert
Path Finder

That worked! Thanks!
How would I go about doing this multiple times in one search? So I can create a Cylance total, AD_Events total, and a Network_Events total all in one search for example.

0 Karma

Sukisen1981
Champion

you can do it in one eval...I am now including the one for AD_Events
| eval rule_name=if(rule_name="Cylance Threats" OR rule_name="Cylance Exploit Event","Cyclane", if(rule_name="Account Deleted" OR rule_name="Excessive Failed Logins","AD_Events",rule_name))

Works like an excel IF statement

0 Karma

Tylerdygert
Path Finder

Great! Thank you for you help!

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...