Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dispositions values in reports

xyberdef
Explorer
‎10-26-2023 07:39 AM

Hello,

I am trying to make report which will display what notables were closed with what disposition. But unfortunately when I make report, it shows me values as follows: "disposition:1", "disposition:2" and so on and I cant figure out how to change these values in the way that in chart/graph it will show "false positive" or "true positive".

I found out a way to change name of column (rename as) but I cant find a way to change values itself and if I try to use same logic (rename disposition:1 as false positive) it doesnt make the trick.

Could you point me in the correct direction, please?

Thanks in advance

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 10:28 AM

Try something like this (obviously expand the case function to cover the other renames)

|`incident_review` | stats count by disposition
| eval disposition=case(disposition=="disposition:1","true-positive",disposition=="disposition:2","false-positive",true(),disposition)

View solution in original post

Reply
Solved! Jump to solution

xyberdef
Explorer
‎10-26-2023 10:57 AM

Yes, this is exactly what I need! I tried to play with eval also, but without that case function. Thank you for your help, much appreciated!

0 Karma
Reply
Solved! Jump to solution

xyberdef
Explorer
‎10-26-2023 09:36 AM

I am using very simple query:

|`incident_review` | stats count by disposition

I get table like this:

xyberdef_0-1698337577215.png

When I make bar chart it looks like this:

xyberdef_1-1698337686739.png

What I am trying to do is same bar chart, but instead of disposition:1, disposition:2..., I would like to see there values of these dispositions so for example true-positive, false-positive...

I tried to use "rename as" like this, but it doesnt work - output is same bar chart as above

|`incident_review` | stats count by disposition | rename disposition:1 as true-positive

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 10:28 AM

Try something like this (obviously expand the case function to cover the other renames)

|`incident_review` | stats count by disposition
| eval disposition=case(disposition=="disposition:1","true-positive",disposition=="disposition:2","false-positive",true(),disposition)
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 07:52 AM

Please provide more information e.g. some sample events (anonymised of course) and your current search, and output, and your expected results.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...