- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Compare Notables (Index) vs Investigations
I want to show how many ES Notables were opened in the last 30 days and how many investigations were opened on a line chart. I can get the notable Index over the last 30 days, no problem but how do I add in the `investigations` to the same line chart?
Here is the query I am using for the notables
index=notable |bucket _time span=day |stats count by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does it have to be a line chart? Would the audit dashboards show similar results?
https://docs.splunk.com/Documentation/ES/6.4.1/User/Audit#Incident_Review_Audit
https://docs.splunk.com/Documentation/ES/6.4.1/User/Audit#Investigation_Overview
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have reviewed these and I am trying to combine them in ONE chart. More of a ROI for Splunk Enterprise. I want to show on a line chart (or a similar visualization) how many notables are created by ES and how many investigations we start (and eventually show how many we close).
This is basically what I am trying to combine...
index=notable |bucket _time span=day |stats count by _time
AND
| `investigations` earliest="-30d@h" latest="now" | `get_realname(creator)` | fieldformat create_time=strftime(create_time, "%c") | `uitime("mod_time")` | eval _time=create_time, id=title | `investigation_get_current_status` | `investigation_get_collaborator_count` | eval _time=create_time | timechart span=1d count by creator_realname
