Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Assigning assets to departments based off naming convention.

sandyjov1
Explorer
‎01-10-2022 10:10 AM

Hi Everyone, 

I am new to splunk and need some help.

I am attempting to create a dashboard that separates the asset's vulnerabilities by department. 

Right now we get the asset with the vulnerability and was wondering if there is a way to group them by the naming convention. For instance. sec-9564 would be the security department. 

So id be saying: if pc starts with sec* than group it into the Security Dept column. 

In the end I need to show a dashboard with each departments vulnerabilities. 

Any help with this would be appreciated !

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2022 10:53 AM

If you're lucky enough to have a robust and reliable asset naming scheme then grouping results by department should be fairly easy.

Start by extracting the department name using rex

| rex field=assetName "(?<dept>\w{3})"

Later, you could group results based on the dept field

| stats values(*) as * by dept

There are many possibilities.  The specifics depend on the content of the dashboard.

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2022 10:53 AM

If you're lucky enough to have a robust and reliable asset naming scheme then grouping results by department should be fairly easy.

Start by extracting the department name using rex

| rex field=assetName "(?<dept>\w{3})"

Later, you could group results based on the dept field

| stats values(*) as * by dept

There are many possibilities.  The specifics depend on the content of the dashboard.

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

sandyjov1
Explorer
‎01-11-2022 10:30 AM

Thanks for the help!

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎01-10-2022 10:38 AM

You could use rex to take that prefix from field and then use it with stats like

..
| rex field=code "(?<dep>[^-]+)"
| stats values(code) as code by dep

r. Ismo 

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...