Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dispositions values in reports

xyberdef
Explorer
‎10-26-2023 07:39 AM

Hello,

I am trying to make report which will display what notables were closed with what disposition. But unfortunately when I make report, it shows me values as follows: "disposition:1", "disposition:2" and so on and I cant figure out how to change these values in the way that in chart/graph it will show "false positive" or "true positive".

I found out a way to change name of column (rename as) but I cant find a way to change values itself and if I try to use same logic (rename disposition:1 as false positive) it doesnt make the trick.

Could you point me in the correct direction, please?

Thanks in advance

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 10:28 AM

Try something like this (obviously expand the case function to cover the other renames)

|`incident_review` | stats count by disposition
| eval disposition=case(disposition=="disposition:1","true-positive",disposition=="disposition:2","false-positive",true(),disposition)

View solution in original post

Reply
Solved! Jump to solution

xyberdef
Explorer
‎10-26-2023 10:57 AM

Yes, this is exactly what I need! I tried to play with eval also, but without that case function. Thank you for your help, much appreciated!

0 Karma
Reply
Solved! Jump to solution

xyberdef
Explorer
‎10-26-2023 09:36 AM

I am using very simple query:

|`incident_review` | stats count by disposition

I get table like this:

xyberdef_0-1698337577215.png

When I make bar chart it looks like this:

xyberdef_1-1698337686739.png

What I am trying to do is same bar chart, but instead of disposition:1, disposition:2..., I would like to see there values of these dispositions so for example true-positive, false-positive...

I tried to use "rename as" like this, but it doesnt work - output is same bar chart as above

|`incident_review` | stats count by disposition | rename disposition:1 as true-positive

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 10:28 AM

Try something like this (obviously expand the case function to cover the other renames)

|`incident_review` | stats count by disposition
| eval disposition=case(disposition=="disposition:1","true-positive",disposition=="disposition:2","false-positive",true(),disposition)
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 07:52 AM

Please provide more information e.g. some sample events (anonymised of course) and your current search, and output, and your expected results.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...