How Do I Make 5 Bar Graphs by Using the Output of ...

jeremy_fade · ‎09-11-2017

I use the following search to show a pie chart of the top 5 IPs connecting to the network:

sourcetype="conn_log" | chart count by Orig_IP | sort -count | head 5

I also use the following search to look up a specific IP (for example, 8.8.8.8) on all logs, exclude instances where the IP doesn't exist, then view it on a bar graph:

8.8.8.8 | timechart span=1h count by sourcetype | addtotals | search Total > 0

Ideally, I want to combine these 2 strings to have the first string fill in the IP criteria for the second string, making a bar graph for each of the top 5 IPs. But if this can't be done, is there a way to make 5 individual search strings to display bar graphs for each of the top 5 IPs?

woodcock · ‎09-11-2017

Maybe (not sure about how you are doing sourcetype) like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype="conn_log" 
[search index=YouShouldAlwaysSpecifyAnIndex sourcetype="conn_log" | Top 5 Orig_IP | table Orig_IP]
| timechart span=1h count BY sourcetype

Also, look at the new Trellis feature:
https://discoveredintelligence.ca/splunk-6-6-new-features-part-iv-trellis/

DalJeanis · ‎09-11-2017

Best to always code the index.

index=foo sourcetype="conn_log" 
     [ search index=foo sourcetype="conn_log" 
     | chart count by Orig_IP 
     | sort 5 -count 
     | table Orig_IP
     ]
| timechart span=1h count by Orig_IP

How Do I Make 5 Bar Graphs by Using the Output of a Chart String as Input to a Timechart String?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services