Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dispositions values in reports

xyberdef
Explorer
‎10-26-2023 07:39 AM

Hello,

I am trying to make report which will display what notables were closed with what disposition. But unfortunately when I make report, it shows me values as follows: "disposition:1", "disposition:2" and so on and I cant figure out how to change these values in the way that in chart/graph it will show "false positive" or "true positive".

I found out a way to change name of column (rename as) but I cant find a way to change values itself and if I try to use same logic (rename disposition:1 as false positive) it doesnt make the trick.

Could you point me in the correct direction, please?

Thanks in advance

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 10:28 AM

Try something like this (obviously expand the case function to cover the other renames)

|`incident_review` | stats count by disposition
| eval disposition=case(disposition=="disposition:1","true-positive",disposition=="disposition:2","false-positive",true(),disposition)

View solution in original post

Reply
Solved! Jump to solution

xyberdef
Explorer
‎10-26-2023 10:57 AM

Yes, this is exactly what I need! I tried to play with eval also, but without that case function. Thank you for your help, much appreciated!

0 Karma
Reply
Solved! Jump to solution

xyberdef
Explorer
‎10-26-2023 09:36 AM

I am using very simple query:

|`incident_review` | stats count by disposition

I get table like this:

xyberdef_0-1698337577215.png

When I make bar chart it looks like this:

xyberdef_1-1698337686739.png

What I am trying to do is same bar chart, but instead of disposition:1, disposition:2..., I would like to see there values of these dispositions so for example true-positive, false-positive...

I tried to use "rename as" like this, but it doesnt work - output is same bar chart as above

|`incident_review` | stats count by disposition | rename disposition:1 as true-positive

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 10:28 AM

Try something like this (obviously expand the case function to cover the other renames)

|`incident_review` | stats count by disposition
| eval disposition=case(disposition=="disposition:1","true-positive",disposition=="disposition:2","false-positive",true(),disposition)
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2023 07:52 AM

Please provide more information e.g. some sample events (anonymised of course) and your current search, and output, and your expected results.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...