I am trying to create a dashboard for Splunk Enterprise Security to track incident response. I have a search that spits out a count of all incidents over a 30d period of time. I want to combine some of these events into values indicative of the product that triggers these events. Here is my base search:
| `incident_review` | where _time >= relative_time(now(), "-30d@d") | stats count by rule_name
That search spits out the following results:
rule_name count Cylance Threats 150 Cylance Exploit Event 28 Account Deleted 9 Excessive Failed Logins 14
I want to combine the count value for Cylance Threats and Cylance Exploit Event into one total named Cylance and also combine Account Deleted and Excessive Failed logins into one total named AD_Events.
I have tried the eval coalesce command, sum(count) commands, and rename commands as well. I cant seem to get this to work, if anyone could provide some help it would be greatly appreciated. Thanks!
you need to modify your rulename` incidentreview | where time >= relativetime(now(), "-30d@d") | eval rulename=if(rulename="Cylance Threats" OR rulename="Cylance Exploit Event","Cyclane", rulename)|stats count by rule_name`
If this gives you the expected count for cyclane all you need to do is modify the eval for the AD_Events use case
That worked! Thanks!
How would I go about doing this multiple times in one search? So I can create a Cylance total, ADEvents total, and a NetworkEvents total all in one search for example.
you can do it in one eval...I am now including the one for ADEvents
| eval rulename=if(rulename="Cylance Threats" OR rulename="Cylance Exploit Event","Cyclane", if(rulename="Account Deleted" OR rulename="Excessive Failed Logins","ADEvents",rulename))
Works like an excel IF statement