I am running the following search:
"authentication failed" | stats count by user, sourceip | sort -count | head 10
Which produces a table with three columns: user, sourceip and count, like so (scrubbed data):
I would like to display this in a bubble visualization, where the X and Y axes map to my users and sourceips, and the size of the bubble maps to the count. Is there any way to do this?
Bubble charts expect three dimensions.
clientipwon't work for this.
Your it should work if you drop
clientip and add two numerical dimensions to
stats count. Try
stats count by user, date_minute, date_second. Of course that chart is largely nonsensical, since these time dimensions likely don't carry much information.
I found some references about setting the X and Y axes to be categorical/discrete, instead of numeric/continuous (example: https://answers.splunk.com/answering/52635/view.html). Did I misunderstand the information there?