Splunk Enterprise Security

How can I do a graph with multiple data?

christianubeda
Path Finder

Hi team!

It's my very first time here and I need a bit of help!

I want to make a graph with multiple lanes.

I have this right now. 1 graph per data. I want to fusion them but I don't know how.

Graph 1.

index=xxx_paloalto sourcetype="pan:threat"  type=threat threat_name="SCAN: TCP Port Scan(8001)"
 (src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2")
 (dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") 
 src_ip != xxx
| stats by src_ip, dest_ip, _time
 | bin  _time span=1d
 | stats count by _time

Graph 2

index=xxx_paloalto sourcetype="pan:threat"  type=threat threat_name="SCAN: Host Sweep(8002)"
 (src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2")
 (dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") 
 src_ip != xxx
| stats by src_ip, dest_ip, _time
 | bin  _time span=1d
 | stats count by _time

Thanks!

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Give this a try. I am assuming you want a line for each combination of src_ip, dest_ip, and threat_name based on your search above. By the way, you are missing a function in your stats command. Something like count, avg, min, max, etc... Either way, I created a field that concatenates the src_ip, dest_ip, and threat_name so you can get a line for each in a line graph for example. I hope this helps.

index=xxx_paloalto sourcetype="pan:threat" type=threat (threat_name="SCAN: TCP Port Scan(8001)” OR threat_name=“SCAN: Host Sweep(8002)”)
(src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2")
(dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") 
src_ip != xxx
| eval byfield=src_ip . "," . dest_ip . "," . threat_name
| bin _time span=1d
| chart count over _time by byfield
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...