Re: I have a uniquestion Please... Anyone..

cosm0630 · ‎04-14-2020

Hello Everyone.

The following query is providing me what I need for PANs (each pillar is representing . However, I need to change the following query to get all (four PANS) in their own separate pillar, representing for last 8 days with each Pillar representing all for pans for each day.

index=pa* sourcetype=pan:threat (action=dropped OR action=blocked) src_ip!=10.* threat_id=* | stats count by dvc_name | sort count desc

Any assistance you can provide in that regard will be greatly appreciated.

DalJeanis · ‎04-15-2020

You could do something like this

 index=pa* sourcetype=pan:threat 
 (action=dropped OR action=blocked) 
 src_ip!=10.* threat_id=* 
 earliest=-8d@d latest=@d

| (your code that assigns a Pillar/PAN value for each event)

| bin _time span=1d
| stats count as daycount by Pillar dvc_name _time 
| appendpipe [| stats sum(daycount) as totalcount by Pillar |eval dvc_name="Totals"]
| sort 0 Pillar dvc_name _time

Many other ways are possible, depending on how you plan to use the report.

niketn · ‎04-15-2020

@cosm0630 please provide more details on the context like sample data, output what are you seeing and what you want. Is dvc_name PAN or Pillar. What is the other field in your data?
Last 8 days is for search or you want in Result as well?

Please provide more details for the community to help you better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

I have a uniquestion Please... Anyone..

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)