Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I do a graph with multiple data?

christianubeda
Path Finder
‎08-09-2018 04:26 AM

Hi team!

It's my very first time here and I need a bit of help!

I want to make a graph with multiple lanes.

I have this right now. 1 graph per data. I want to fusion them but I don't know how.

Graph 1.

index=xxx_paloalto sourcetype="pan:threat"  type=threat threat_name="SCAN: TCP Port Scan(8001)"
 (src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2")
 (dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") 
 src_ip != xxx
| stats by src_ip, dest_ip, _time
 | bin  _time span=1d
 | stats count by _time

Graph 2

index=xxx_paloalto sourcetype="pan:threat"  type=threat threat_name="SCAN: Host Sweep(8002)"
 (src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2")
 (dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") 
 src_ip != xxx
| stats by src_ip, dest_ip, _time
 | bin  _time span=1d
 | stats count by _time

Thanks!

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-09-2018 12:21 PM

Give this a try. I am assuming you want a line for each combination of src_ip, dest_ip, and threat_name based on your search above. By the way, you are missing a function in your stats command. Something like count, avg, min, max, etc... Either way, I created a field that concatenates the src_ip, dest_ip, and threat_name so you can get a line for each in a line graph for example. I hope this helps.

index=xxx_paloalto sourcetype="pan:threat" type=threat (threat_name="SCAN: TCP Port Scan(8001)” OR threat_name=“SCAN: Host Sweep(8002)”)
(src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2")
(dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") 
src_ip != xxx
| eval byfield=src_ip . "," . dest_ip . "," . threat_name
| bin _time span=1d
| chart count over _time by byfield
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...