Cascade Table View

ylucena · ‎01-24-2020

Hello everyone,

I am trying to put a table view together with no luck. The view is rather simple in theory but I cannot render it using SPL. I'd like to display the values of OS BY ip_address BY interface BY host. I would like them to be contained in one another from the most specific to the least (right to left). Using "values() by " won't give me the view I need. Ultimately, I wanted to show all rows for a field but only one for the common parent. I'd like to see something like the below. Sort of like a cascade effect. I'd appreciate any help!! Please, let me know if I am not being clear enough.

Host    |   interface   |   ip_address  |   OS

Host1       eth0            10.110.x.x      linux
                                               windows
                                               OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

            eth1            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

Host2       eth0            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

            eth1            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

spavin · ‎01-31-2020

Hi @ylucena,

One way to filter out already defined data is to use streamstats combined with evals.

First thing to do is sort the table by Host, interface, ip_address and OS.
Then you can compare each row with the value of the previous row. If they are the same as the previous line, then change the value to "".

|...previous search here...
| sort Host, interface, ip_address, OS
| streamstats current=false  last(Host) as prev_host, last(interface) as prev_interface, last(ip_address) as prev_ipaddress
| eval Host=if(Host==prev_host,"",Host)
| eval interface=if(Host=="" AND interface == prev_interface,"",interface)
| eval ip_address=if(Host=="" AND interface=="" AND ip_address==prev_ipaddress,"",ip_address)
| table Host, interface, ip_address, OS

Checks:

This search checks the Host to see if it's the same as the last one, and if so sets it to "".
Next it looks at the Interface - if the host is already set to "" and the interface is the same as the last one, then it sets the interface to "".
Finally, a similar check is done for ip_address. As long as the Host and interface are blank, it will set the ip_address to "" if it's the same as the previous one.
In all other cases the fields are left as-is.

That results it the following:

Cheers,
Daniel

Cascade Table View

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?