Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: Drilldown stats list

gbhw
New Member
‎11-04-2019 07:41 AM

Hi,

I am building a vulnerability dashboard and got the following table:

alt text

To make it easier to read I like to combine the IP addresses using 

| stats list(Vulnerability) AS Vulnerabilities, list(VulnerabilityId) AS VulnerabilityId by IP

alt text

The VulnerabilityId is an internal unique Id that I like to hide from the user but I would like to add a drilldown that sets a token to this VulnerabilityId. In the first table I can achieve that by setting the a token to "$row.VulnerabilityId$". The problem is as soon as I use "stats list()" the token will include all VulnerabilityIds in the cell (14923,14924,14925,...).

  • Is there a possibility to only set the one VulnerabilityId associated with the Vulnerability clicked?
  • If not, is there a possibility to somehow mask the VulnerabilityId so it simple shows a specific word (e.g. "Details") and on click the token is set to the actual value in the cell?
Preview file
28 KB
Preview file
26 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-04-2019 07:57 AM

Hi gbhw,
use values(...):

| stats values(Vulnerability) AS Vulnerabilities values(VulnerabilityId) AS VulnerabilityId by IP

But beware because the display order of Vulnerabilities and VulnerabilityId isn't the same for both the lists, in other words Vulnerabilities and VulnerabilityId are orders in alphabetical order and it could possible that thefirst Vulnerability isn't related to the first VulnerabilityId.
If you want you could have a different approach:
you could use the Vulnerability description as key, or you could correlate Vulnerability and VulnerabilityId before stats and after stats use a regex to extract VulnerabilityId to use for drilldown, in other words:

| eval column=Vulnerability."_".VulnerabilityId
| stats values(column) AS Vulnerabilities by IP
| rex field=column "[^_]*_(?<VulnerabilityId>.*)"
| table IP Vulnerabilities VulnerabilityId

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-04-2019 07:57 AM

Hi gbhw,
use values(...):

| stats values(Vulnerability) AS Vulnerabilities values(VulnerabilityId) AS VulnerabilityId by IP

But beware because the display order of Vulnerabilities and VulnerabilityId isn't the same for both the lists, in other words Vulnerabilities and VulnerabilityId are orders in alphabetical order and it could possible that thefirst Vulnerability isn't related to the first VulnerabilityId.
If you want you could have a different approach:
you could use the Vulnerability description as key, or you could correlate Vulnerability and VulnerabilityId before stats and after stats use a regex to extract VulnerabilityId to use for drilldown, in other words:

| eval column=Vulnerability."_".VulnerabilityId
| stats values(column) AS Vulnerabilities by IP
| rex field=column "[^_]*_(?<VulnerabilityId>.*)"
| table IP Vulnerabilities VulnerabilityId

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

gbhw
New Member
‎11-11-2019 01:56 AM

I tried your suggestion using the values instead of list but it has the same behavior.
But the idea of using a combined value and extract the Id from it is a good workaround. I've tested it and it works.
Thank you!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...