SplunkES: List Enabled Notable Activity Last 90 Da...

starcher · ‎04-11-2022

Handy search for a dashboard

earliest=-90d@d `notable` 
| eval isSuppressed=if(match(eventtype,"Suppression"),1,0)
| stats count(eval(like(urgency,"informational"))) as informational_count count(eval(like(urgency,"low"))) as low_count count(eval(like(urgency,"medium"))) as medium_count count(eval(like(urgency,"high"))) as high_count count(eval(like(urgency,"critical"))) as critical_count, sum(isSuppressed) as suppression_count, sparkline(count) as activity by rule_name 
| join rule_name 
    [| rest splunk_server=local count=0 /services/saved/searches 
    | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
    | rename action.correlationsearch.label as rule_name action.risk.param._risk as risk_json 
    | eval status = if(disabled=="1","disabled","enabled") 
    | fields rule_name status
        ] 
| search status!=disabled 
| eval informational_count = if(isnull(informational_count),0,informational_count), low_count = if(isnull(low_count),0,low_count), medium_count = if(isnull(medium_count),0,medium_count), high_count = if(isnull(high_count),0,high_count), critical_count = if(isnull(critical_count),0,critical_count) , suppression_count = if(isnull(suppression_count),0,suppression_count) 
| fields rule_name activity suppression_count informational_count low_count medium_count high_count critical_count 
| addtotals critical_count high_count medium_count low_count informational_count
| sort - Total critical_count high_count medium_count low_count informational_count
| rename Total as total_reported

SplunkES: List Enabled Notable Activity Last 90 Days

administration

Observability Highlights | January 2023 Newsletter

Security Highlights | January 2023 Newsletter

Platform Highlights | January 2023 Newsletter