Splunk Search

Help charting or displaying multiple fields

danielransell
Path Finder

I'm working on creating either a report with a table or a dashboard to visualize the status of my Windows Audit Policy. The purpose of the report/dashboard is to measure compliance and detect any GPO/Configuration errors. I'm having trouble trying to identify how I'm going to figure out how to implement this.
My events, after a transaction command, look like the following:

Field:                        Values:
Security_System_Extension     Success and Failure
System_Integrity              Success and Failure
Logon                         Success and Failure
Logoff                        Failure
DPAPI_Activity                No Auditing
...and so on....

One way that I could working well is the following chart where the numbers are the result of a stats dc(host) or something:

Chart
.                            Success                 Failure            Success and Failure       No Auditing
Security_System_Extension    4                       0                  100                       0
System_Integrity             0                       0                  104                       0
Logon                        0                       0                  104                       0

Another way involving an eval or replace on a by-field basis could be:

Chart
.                            Compliant                 Non-Compliant
Security_System_Extension    100                       4
System_Integrity             104                       0
Logon                        104                       0

Currently, the only thing that I can think of is creating a dashboard with lots of panels - one for each field - | stats dc(host) by Security_System_Extension

Security_System_Extension                dc(host)
Success                                  4   
Success and Failure                      100

Any recommendations on how to get something like depicted in the other examples?

0 Karma
1 Solution

to4kawa
Ultra Champion
| makeresults count=200
| eval raw=split("Success,Success_and_Failure,Failure,No_Auditing",",")
| eval value=mvindex(raw,random()%3)
| eval alphabet=split("abcdefg","")
| eval Field=mvindex(alphabet,random()%7)
| table Field value
`comment("this is sample data")`
| stats count(eval(value="Success")) as Success,count(eval(value="Success_and_Failure")) as Success_and_Failure
,count(eval(value="Failure")) as Failure,count(eval(value="No_Auditing")) as No_Auditing by Field

Hi, This is sample query, How about this?

View solution in original post

to4kawa
Ultra Champion
| makeresults count=200
| eval raw=split("Success,Success_and_Failure,Failure,No_Auditing",",")
| eval value=mvindex(raw,random()%3)
| eval alphabet=split("abcdefg","")
| eval Field=mvindex(alphabet,random()%7)
| table Field value
`comment("this is sample data")`
| stats count(eval(value="Success")) as Success,count(eval(value="Success_and_Failure")) as Success_and_Failure
,count(eval(value="Failure")) as Failure,count(eval(value="No_Auditing")) as No_Auditing by Field

Hi, This is sample query, How about this?

danielransell
Path Finder

You search works well, but my problem is I do not have a field named Field in my results. Each of my fields are named differently. I started going down a path of fieldsummary to get a list of fieldnames and assign them to a new field, but I can't seem to figure it out.

0 Karma

rmmiller
Contributor

Rows 8 and 9 are actually a single line. I'm getting a field named "Field" in my results. The BY clause guarantees Field is there.

P.S.: Nice sample data, to4kawa!!

0 Karma

to4kawa
Ultra Champion

thanks, @rmmiller You can move in two lines.

@danielransell
My query is a sample, so you can change it to an appropriate field name.
Is the log given as an example different in the first place?

0 Karma

danielransell
Path Finder

My sample data is supposed to be one big event. My dilemma is having ~60 field names. Your line 8 and 9 works great when each event has a Field value of a, b, c, d, e, f, g. You can then sum by each of those field values. Each event for me has ~60 key value pairs.

It would be great if I could neatly display a single line for each field name (which corresponds to one of Windows Advanced Audit Policy names), and display dc(hosts) by the specific field name.

I may just end up with a dashboard with 60 panels, incorporating your count functions. Alternatively, I may be able to get creative using a fieldsummary command, and using a lookup of the 60 fields I need, then messing with the values column. Just hoping there is a cleaner way.

0 Karma

to4kawa
Ultra Champion
| makeresults 
 | eval audit="\"Audit Credential Validation\",\"Audit Kerberos Authentication Service\",\"Audit Kerberos Service Ticket Operations\",\"Audit Other Account Logon Events\",\"Audit Application Group Management\",\"Audit Computer Account Management\",\"Audit Distribution Group Management\",\"Audit Other Account Management Events\",\"Audit Security Group Management\",\"Audit User Account Management\",\"Audit DPAPI Activity\",\"Audit Process Creation\",\"Audit Process Termination\",\"Audit RPC Events\",\"Audit Detailed Directory Service Replication\",\"Audit Directory Service Access\",\"Audit Directory Service Changes\",\"Audit Directory Service Replication\",\"Audit Account Lockout\",\"Audit User/Device Claims\",\"Audit IPsec Extended Mode\",\"Audit IPsec Main Mode\",\"Audit IPsec Quick Mode\",\"Audit Logoff\",\"Audit Logon\",\"Audit Network Policy Server\",\"Audit Other Logon/Logoff Events\",\"Audit Special Logon\",\"Audit Application Generated\",\"Audit Certification Services\",\"Audit Detailed File Share\",\"Audit File Share\",\"Audit File System\",\"Audit Filtering Platform Connection\",\"Audit Filtering Platform Packet Drop\",\"Audit Handle Manipulation\",\"Audit Kernel Object\",\"Audit Other Object Access Events\",\"Audit Registry\",\"Audit Removable Storage\",\"Audit SAM\",\"Audit Central Access Policy Staging\",\"Audit Audit Policy Change\",\"Audit Authentication Policy Change\",\"Audit Authorization Policy Change\",\"Audit Filtering Platform Policy Change\",\"Audit MPSSVC Rule-Level Policy Change\",\"Audit Other Policy Change Events\",\"Audit n Sensitive Privilege Use\",\"Audit Other Privilege Use Events\",\"Audit Sensitive Privilege Use\",\"Audit IPsec Driver\",\"Audit Other System Events\",\"Audit Security State Change\",\"Audit Security System Extension\",\"Audit System Integrity\",\"Audit IPsec Driver\",\"Audit Other System Events\",\"Audit Security State Change\",\"Audit Security System Extension\",\"Audit System Integrity\""
 | makemv delim="," audit
 | mvexpand audit
 | eval raw=split("Success,Success_and_Failure,Failure,No_Auditing",",")
 | eval value=mvindex(raw,random()%3)
 | table audit  value
 `comment("this is sample data")`
  | stats count(eval(value="Success")) as Success,count(eval(value="Success_and_Failure")) as Success_and_Failure
 ,count(eval(value="Failure")) as Failure,count(eval(value="No_Auditing")) as No_Auditing by audit

If your query is properly tabulated, it will work

0 Karma

danielransell
Path Finder

Thanks for all the help in this. Ultimately, my data did not match your example well - so I made a couple more field extractions and it worked. Originally I created 59 field extractions for each audit policy subcategory. Then Account Lockout would have a value of Success and Failure, and so on and so on 58 more times.

In order to get my report in a manner that I like, I added an extraction for the Audit Policy Name (AuditPolicy_SubCategory in the code below), so that would equal Account Lockout, then I added an extraction for the Audit Policy Value (AuditPolicyValue below), so that would equal Success, Success and Failure, Failure or No Auditing. With these extractions in place, my final search looks like this:

index=idx sourcetype=auditpolicy
| dedup host, AuditPolicy_SubCategory
| table AuditPolicy_SubCategory, AuditPolicyValue
| stats count(eval(AuditPolicyValue="Success")) as Success, count(eval(AuditPolicyValue="Success and Failure)) as "Success and Failure", count(eval(AuditPolicyValue="Failure")) as Failure, count(eval(AuditPolicyValue="No Auditing")) as "No Auditing" by AuditPolicy_SubCategory

Thanks for the help to4kawa. Marking yours as the answer and awarded some points.

0 Karma

danielransell
Path Finder

I think I see what’s going on - really looking forward to giving this a try on Monday.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...