Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dispositions values in reports

xyberdef
Explorer
‎10-26-2023 07:39 AM

Hello,

I am trying to make report which will display what notables were closed with what disposition. But unfortunately when I make report, it shows me values as follows: "disposition:1", "disposition:2" and so on and I cant figure out how to change these values in the way that in chart/graph it will show "false positive" or "true positive".

I found out a way to change name of column (rename as) but I cant find a way to change values itself and if I try to use same logic (rename disposition:1 as false positive) it doesnt make the trick.

Could you point me in the correct direction, please?

Thanks in advance

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 10:28 AM

Try something like this (obviously expand the case function to cover the other renames)

|`incident_review` | stats count by disposition
| eval disposition=case(disposition=="disposition:1","true-positive",disposition=="disposition:2","false-positive",true(),disposition)

View solution in original post

Reply
Solved! Jump to solution

xyberdef
Explorer
‎10-26-2023 10:57 AM

Yes, this is exactly what I need! I tried to play with eval also, but without that case function. Thank you for your help, much appreciated!

0 Karma
Reply
Solved! Jump to solution

xyberdef
Explorer
‎10-26-2023 09:36 AM

I am using very simple query:

|`incident_review` | stats count by disposition

I get table like this:

xyberdef_0-1698337577215.png

When I make bar chart it looks like this:

xyberdef_1-1698337686739.png

What I am trying to do is same bar chart, but instead of disposition:1, disposition:2..., I would like to see there values of these dispositions so for example true-positive, false-positive...

I tried to use "rename as" like this, but it doesnt work - output is same bar chart as above

|`incident_review` | stats count by disposition | rename disposition:1 as true-positive

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 10:28 AM

Try something like this (obviously expand the case function to cover the other renames)

|`incident_review` | stats count by disposition
| eval disposition=case(disposition=="disposition:1","true-positive",disposition=="disposition:2","false-positive",true(),disposition)
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 07:52 AM

Please provide more information e.g. some sample events (anonymised of course) and your current search, and output, and your expected results.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...