Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with a search which would return the sum of multiple count values?

Tylerdygert
Path Finder
‎09-25-2018 08:46 AM

Hello,

I am trying to create a dashboard for Splunk Enterprise Security to track incident response. I have a search that spits out a count of all incidents over a 30d period of time. I want to combine some of these events into values indicative of the product that triggers these events. Here is my base search: 

| `incident_review` | where _time >= relative_time(now(), "-30d@d") | stats count by rule_name

That search spits out the following results:

rule_name                                count
Cylance Threats                       150
Cylance Exploit Event              28
Account Deleted                       9
Excessive Failed Logins           14

I want to combine the count value for Cylance Threats and Cylance Exploit Event into one total named Cylance and also combine Account Deleted and Excessive Failed logins into one total named AD_Events.

I have tried the eval coalesce command, sum(count) commands, and rename commands as well. I cant seem to get this to work, if anyone could provide some help it would be greatly appreciated. Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎09-25-2018 08:58 AM

you need to modify your rule_nameincident_review | where _time >= relative_time(now(), "-30d@d") | eval rule_name=if(rule_name="Cylance Threats" OR rule_name="Cylance Exploit Event","Cyclane", rule_name)|stats count by rule_name

If this gives you the expected count for cyclane all you need to do is modify the eval for the AD_Events use case

View solution in original post

Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎09-25-2018 08:58 AM

you need to modify your rule_nameincident_review | where _time >= relative_time(now(), "-30d@d") | eval rule_name=if(rule_name="Cylance Threats" OR rule_name="Cylance Exploit Event","Cyclane", rule_name)|stats count by rule_name

If this gives you the expected count for cyclane all you need to do is modify the eval for the AD_Events use case

Reply
Solved! Jump to solution

Tylerdygert
Path Finder
‎09-25-2018 09:00 AM

That worked! Thanks!
How would I go about doing this multiple times in one search? So I can create a Cylance total, AD_Events total, and a Network_Events total all in one search for example.

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎09-25-2018 09:10 AM

you can do it in one eval...I am now including the one for AD_Events
| eval rule_name=if(rule_name="Cylance Threats" OR rule_name="Cylance Exploit Event","Cyclane", if(rule_name="Account Deleted" OR rule_name="Excessive Failed Logins","AD_Events",rule_name))

Works like an excel IF statement

0 Karma
Reply
Solved! Jump to solution

Tylerdygert
Path Finder
‎09-25-2018 09:17 AM

Great! Thank you for you help!

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...