Splunk Enterprise Security

I have a uniquestion Please... Anyone..

New Member

Hello Everyone.

The following query is providing me what I need for PANs (each pillar is representing . However, I need to change the following query to get all (four PANS) in their own separate pillar, representing for last 8 days with each Pillar representing all for pans for each day.

index=pa* sourcetype=pan:threat (action=dropped OR action=blocked) src_ip!=10.* threat_id=* | stats count by dvc_name | sort count desc

Any assistance you can provide in that regard will be greatly appreciated.

0 Karma

SplunkTrust
SplunkTrust

You could do something like this

 index=pa* sourcetype=pan:threat 
 (action=dropped OR action=blocked) 
 src_ip!=10.* threat_id=* 
 earliest=-8d@d latest=@d

| (your code that assigns a Pillar/PAN value for each event)

| bin _time span=1d
| stats count as daycount by Pillar dvc_name _time 
| appendpipe [| stats sum(daycount) as totalcount by Pillar |eval dvc_name="Totals"]
| sort 0 Pillar dvc_name _time

Many other ways are possible, depending on how you plan to use the report.

0 Karma

Legend

@cosm0630 please provide more details on the context like sample data, output what are you seeing and what you want. Is dvc_name PAN or Pillar. What is the other field in your data?
Last 8 days is for search or you want in Result as well?

Please provide more details for the community to help you better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!