Hi Everyone,
I am new to splunk and need some help.
I am attempting to create a dashboard that separates the asset's vulnerabilities by department.
Right now we get the asset with the vulnerability and was wondering if there is a way to group them by the naming convention. For instance. sec-9564 would be the security department.
So id be saying: if pc starts with sec* than group it into the Security Dept column.
In the end I need to show a dashboard with each departments vulnerabilities.
Any help with this would be appreciated !
If you're lucky enough to have a robust and reliable asset naming scheme then grouping results by department should be fairly easy.
Start by extracting the department name using rex
| rex field=assetName "(?<dept>\w{3})"
Later, you could group results based on the dept field
| stats values(*) as * by dept
There are many possibilities. The specifics depend on the content of the dashboard.
If you're lucky enough to have a robust and reliable asset naming scheme then grouping results by department should be fairly easy.
Start by extracting the department name using rex
| rex field=assetName "(?<dept>\w{3})"
Later, you could group results based on the dept field
| stats values(*) as * by dept
There are many possibilities. The specifics depend on the content of the dashboard.
Thanks for the help!
You could use rex to take that prefix from field and then use it with stats like
..
| rex field=code "(?<dep>[^-]+)"
| stats values(code) as code by dep
r. Ismo