Splunk Search

Help on Spl query - dashboard Studio

jaibalaraman
Path Finder

How do i edit the below append command into my real time environment 

The below source are obtain from Splunk Dasboard Studio 

 | makeresults count=50
| eval app="Web Server"
| eval type="User"
| append
[ makeresults count=28
| eval app="Web Server"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="Web Server"
| eval type="Idle"
]
| append
[makeresults count=22
| eval app="Network"
| eval type="User"
]
| append
[ makeresults count=48
| eval app="Network"
| eval type="System"
]| append
[ makeresults count=30
| eval app="Network"
| eval type="Idle"
]
| append
[makeresults count=65
| eval app="Load Balancer"
| eval type="User"
]
| append
[ makeresults count=17
| eval app="Load Balancer"
| eval type="System"
]
| append
[ makeresults count=18
| eval app="Load Balancer"
| eval type="Idle"
]

| append
[makeresults count=50
| eval app="Storage"
| eval type="User"
]
| append
[ makeresults count=27
| eval app="Storage"
| eval type="System"
]
| append
[ makeresults count=23
| eval app="Storage"
| eval type="Idle"
]
| append
[makeresults count=18
| eval app="Database"
| eval type="User"
]

| append
[ makeresults count=60
| eval app="Database"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="Database"
| eval type="Idle"
]

| append
[makeresults count=50
| eval app="Security"
| eval type="User"
]
| append
[ makeresults count=12
| eval app="Security"
| eval type="System"
]
| append
[ makeresults count=38
| eval app="Security"
| eval type="Idle"
]

| append
[makeresults count=45
| eval app="Auth Server"
| eval type="User"
]
| append
[ makeresults count=32
| eval app="Auth Server"
| eval type="System"
]
| append
[ makeresults count=23
| eval app="Auth Server"
| eval type="Idle"
]

| append
[makeresults count=50
| eval app="CDN"
| eval type="User"
]

| append
[ makeresults count=28
| eval app="CDN"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="CDN"
| eval type="Idle"
]

| chart count by app, type
| eval sort_field=case(app=="Login",1,app=="Search",2,app=="Cart",3,app=="Pricing",4,app=="Checkout",5,app=="Order Management",6,app=="Gifting",7,app=="Chat",8)
| sort sort_field
| table app, User, System, Idle

jaibalaraman_0-1683852910658.png

 

My current splunk 

jaibalaraman_1-1683853084601.png

index=sample  x_host_header=www.sample.com

| eval Device = if(match(useragent,"SM-"),"Android", if(match(useragent,"Windows"),"Windows",if(match(useragent,"Mac"),"Mac",if(match(useragent,"CPH"),"Android",if(match(useragent,"Nokia"),"Android",if(match(cs_user_agent,"Pixel"),"Android",if(match(useragent,"TB-"),"Android",if(match(useragent,"VFD"),"Android",if(match(useragent,"HP%20Pro%20Slate"),"Android",if(match(cs_user_agent,"VOG-L09"),"Android",if(match(useragent,"YAL-L21"),"Android",if(match(useragent,"ATU-L22"),"Android",if(match(useragent,"MAR-LX1A"),"Android",if(match(useragent,"RNE-L22"),"Android",if(match(useragent,"INE-LX2"),"Android",if(match(useragent,"AMN-LX2"),"Android",if(match(useragent,"LYO-LO2"),"Android",if(match(useragent,"DRA-LX9"),"Android",if(match(useragent,"LYA-L29"),"Android",if(match(useragent,"ANE-LX2J"),"Android",if(match(useragent,"STK-L22"),"Android",if(match(useragent,"EML-AL00"),"Android",if(match(useragent,"BLA-L29"),"Android",if(match(useragent,"X11"),"Linux",if(match(useragent,"LDN-LX2"),"Android",if(match(useragent,"TB3-"),"Android",if(match(useragent,"5033T"),"Android",if(match(useragent,"5028D"),"Android",if(match(useragent,"5002X"),"Android",if(match(useragent,"COR-"),"Android",if(match(useragent,"MI%20MAX"),"Android",if(match(useragent,"WAS-LX2"),"Android",if(match(useragent,"vivo"),"Android",if(match(useragent,"EML-L29"),"Android",if(match(useragent ent,"Moto"),"Android",if(match(useragent,"MMB"),"Android", OTHER"))))))))))))))))))))))))))

Tags (1)
0 Karma

jaibalaraman
Path Finder

Yes , i have created eval spl query to find out the list mobile device ( Android / Mac / Windows/ Bot / Linux/ duckgo )

Please find below eval command which is working 100% fine , spl command are shared in the my previous chat 

 

index=sample  x_host_header=www.sample.com

| eval Device = if(match(useragent,"SM-"),"Android", if(match(useragent,"Windows"),"Windows",if(match(useragent,"Mac"),"Mac",if(match(useragent,"CPH"),"Android",if(match(useragent,"Nokia"),"Android",if(match(cs_user_agent,"Pixel"),"Android",if(match(useragent,"TB-"),"Android",if(match(useragent,"VFD"),"Android",if(match(useragent,"HP%20Pro%20Slate"),"Android",if(match(cs_user_agent,"VOG-L09"),"Android",if(match(useragent,"YAL-L21"),"Android",if(match(useragent,"ATU-L22"),"Android",if(match(useragent,"MAR-LX1A"),"Android",if(match(useragent,"RNE-L22"),"Android"

jaibalaraman_0-1683889906404.png

What i am trying to achieve 

I creating Dashboard studio for our application , where i am trying to reverse engineer from already created predefined dashboard studio 

The output which i am expecting is to see the list of user who are using Android / Mac / Windows / Linux / Duckduck go 

I am not sure about how to edit the below append function which will give me the output 

 

 | makeresults count=50
| eval app="Web Server"
| eval type="User"
| append
[ makeresults count=28
| eval app="Web Server"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="Web Server"
| eval type="Idle"
]
| append
[makeresults count=22
| eval app="Network"
| eval type="User"
]
| append
[ makeresults count=48
| eval app="Network"
| eval type="System"
]| append
[ makeresults count=30
| eval app="Network"
| eval type="Idle"
]
| append
[makeresults count=65
| eval app="Load Balancer"
| eval type="User"
]
| append
[ makeresults count=17
| eval app="Load Balancer"
| eval type="System"
]
| append
[ makeresults count=18
| eval app="Load Balancer"
| eval type="Idle"
]

| append
[makeresults count=50
| eval app="Storage"
| eval type="User"
]
| append
[ makeresults count=27
| eval app="Storage"
| eval type="System"
]
| append
[ makeresults count=23
| eval app="Storage"
| eval type="Idle"
]
| append
[makeresults count=18
| eval app="Database"
| eval type="User"
]

| append
[ makeresults count=60
| eval app="Database"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="Database"
| eval type="Idle"
]

| append
[makeresults count=50
| eval app="Security"
| eval type="User"
]
| append
[ makeresults count=12
| eval app="Security"
| eval type="System"
]
| append
[ makeresults count=38
| eval app="Security"
| eval type="Idle"
]

| append
[makeresults count=45
| eval app="Auth Server"
| eval type="User"
]
| append
[ makeresults count=32
| eval app="Auth Server"
| eval type="System"
]
| append
[ makeresults count=23
| eval app="Auth Server"
| eval type="Idle"
]

| append
[makeresults count=50
| eval app="CDN"
| eval type="User"
]

| append
[ makeresults count=28
| eval app="CDN"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="CDN"
| eval type="Idle"
]

| chart count by app, type
| eval sort_field=case(app=="Login",1,app=="Search",2,app=="Cart",3,app=="Pricing",4,app=="Checkout",5,app=="Order Management",6,app=="Gifting",7,app=="Chat",8)
| sort sort_field
| table app, User, System, Idle

 

Thanks 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Edit the data source or create a new one based on your search and update the panel to use the new / updated data source

0 Karma

jaibalaraman
Path Finder

Sorry, i am trying to achieve the same output which i have used with eval apply the same concept for the dashboard studio.  Not sure how do i edit t

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Open the dashboard and click on the edit option

ITWhisperer_0-1683893133381.png

Then click on the edit Data Overview button

ITWhisperer_1-1683893180525.png

Click on the pencil for the search you want to update

ITWhisperer_2-1683893259543.png

Or create a new search

ITWhisperer_3-1683893284955.png

Paste your search into the Search with SPL box

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What is it that you are trying to achieve?

By the way, you could convert the series of nested if functions to a case function.

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...