Splunk Enterprise

Assigning assets to departments based off naming convention.

sandyjov1
Explorer

Hi Everyone, 

I am new to splunk and need some help.

I am attempting to create a dashboard that separates the asset's vulnerabilities by department. 

Right now we get the asset with the vulnerability and was wondering if there is a way to group them by the naming convention. For instance. sec-9564 would be the security department. 

So id be saying: if pc starts with sec* than group it into the Security Dept column. 

In the end I need to show a dashboard with each departments vulnerabilities. 

Any help with this would be appreciated !

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If you're lucky enough to have a robust and reliable asset naming scheme then grouping results by department should be fairly easy.

Start by extracting the department name using rex

| rex field=assetName "(?<dept>\w{3})"

Later, you could group results based on the dept field

| stats values(*) as * by dept

There are many possibilities.  The specifics depend on the content of the dashboard.

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

If you're lucky enough to have a robust and reliable asset naming scheme then grouping results by department should be fairly easy.

Start by extracting the department name using rex

| rex field=assetName "(?<dept>\w{3})"

Later, you could group results based on the dept field

| stats values(*) as * by dept

There are many possibilities.  The specifics depend on the content of the dashboard.

 

---
If this reply helps you, Karma would be appreciated.

sandyjov1
Explorer

Thanks for the help!

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You could use rex to take that prefix from field and then use it with stats like

..
| rex field=code "(?<dep>[^-]+)"
| stats values(code) as code by dep

r. Ismo 

Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...