Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dispositions values in reports

xyberdef
Explorer
‎10-26-2023 07:39 AM

Hello,

I am trying to make report which will display what notables were closed with what disposition. But unfortunately when I make report, it shows me values as follows: "disposition:1", "disposition:2" and so on and I cant figure out how to change these values in the way that in chart/graph it will show "false positive" or "true positive".

I found out a way to change name of column (rename as) but I cant find a way to change values itself and if I try to use same logic (rename disposition:1 as false positive) it doesnt make the trick.

Could you point me in the correct direction, please?

Thanks in advance

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 10:28 AM

Try something like this (obviously expand the case function to cover the other renames)

|`incident_review` | stats count by disposition
| eval disposition=case(disposition=="disposition:1","true-positive",disposition=="disposition:2","false-positive",true(),disposition)

View solution in original post

Reply
Solved! Jump to solution

xyberdef
Explorer
‎10-26-2023 10:57 AM

Yes, this is exactly what I need! I tried to play with eval also, but without that case function. Thank you for your help, much appreciated!

0 Karma
Reply
Solved! Jump to solution

xyberdef
Explorer
‎10-26-2023 09:36 AM

I am using very simple query:

|`incident_review` | stats count by disposition

I get table like this:

xyberdef_0-1698337577215.png

When I make bar chart it looks like this:

xyberdef_1-1698337686739.png

What I am trying to do is same bar chart, but instead of disposition:1, disposition:2..., I would like to see there values of these dispositions so for example true-positive, false-positive...

I tried to use "rename as" like this, but it doesnt work - output is same bar chart as above

|`incident_review` | stats count by disposition | rename disposition:1 as true-positive

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 10:28 AM

Try something like this (obviously expand the case function to cover the other renames)

|`incident_review` | stats count by disposition
| eval disposition=case(disposition=="disposition:1","true-positive",disposition=="disposition:2","false-positive",true(),disposition)
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 07:52 AM

Please provide more information e.g. some sample events (anonymised of course) and your current search, and output, and your expected results.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...