Hi,
I am building a vulnerability dashboard and got the following table:
To make it easier to read I like to combine the IP addresses using
| stats list(Vulnerability) AS Vulnerabilities, list(VulnerabilityId) AS VulnerabilityId by IP
The VulnerabilityId is an internal unique Id that I like to hide from the user but I would like to add a drilldown that sets a token to this VulnerabilityId. In the first table I can achieve that by setting the a token to "$row.VulnerabilityId$". The problem is as soon as I use "stats list()" the token will include all VulnerabilityIds in the cell (14923,14924,14925,...).
Hi gbhw,
use values(...):
| stats values(Vulnerability) AS Vulnerabilities values(VulnerabilityId) AS VulnerabilityId by IP
But beware because the display order of Vulnerabilities and VulnerabilityId isn't the same for both the lists, in other words Vulnerabilities and VulnerabilityId are orders in alphabetical order and it could possible that thefirst Vulnerability isn't related to the first VulnerabilityId.
If you want you could have a different approach:
you could use the Vulnerability description as key, or you could correlate Vulnerability and VulnerabilityId before stats and after stats use a regex to extract VulnerabilityId to use for drilldown, in other words:
| eval column=Vulnerability."_".VulnerabilityId
| stats values(column) AS Vulnerabilities by IP
| rex field=column "[^_]*_(?<VulnerabilityId>.*)"
| table IP Vulnerabilities VulnerabilityId
Ciao.
Giuseppe
Hi gbhw,
use values(...):
| stats values(Vulnerability) AS Vulnerabilities values(VulnerabilityId) AS VulnerabilityId by IP
But beware because the display order of Vulnerabilities and VulnerabilityId isn't the same for both the lists, in other words Vulnerabilities and VulnerabilityId are orders in alphabetical order and it could possible that thefirst Vulnerability isn't related to the first VulnerabilityId.
If you want you could have a different approach:
you could use the Vulnerability description as key, or you could correlate Vulnerability and VulnerabilityId before stats and after stats use a regex to extract VulnerabilityId to use for drilldown, in other words:
| eval column=Vulnerability."_".VulnerabilityId
| stats values(column) AS Vulnerabilities by IP
| rex field=column "[^_]*_(?<VulnerabilityId>.*)"
| table IP Vulnerabilities VulnerabilityId
Ciao.
Giuseppe
I tried your suggestion using the values instead of list but it has the same behavior.
But the idea of using a combined value and extract the Id from it is a good workaround. I've tested it and it works.
Thank you!!