Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create multiple null values for an existing field?

capilarity
Path Finder
‎08-01-2022 08:24 AM

I have a search that counts  the vulnerabilities for a given team and places them on a Bar chart on a dashboard based on the "Risk" field to display how many Critical, High, medium or low events.

Problem I have is that not all teams have all 4 levels of vulnerabilities so the graphs look a bit rubbish. Some only have one level, others have 3 or 4 and the graphs only show the vulnerabilities that have a value

I would like to always have Critical, High, Medium AND Low on the x-axis for every team even though the value for these may be Zero.

For example, if a team has 5 Mediums, the graph only shows one bar.

How to I create a Bar chart that shows:

Critical =0
High=0
Medium =5
Low=0

Thanks

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2022 01:56 AM 
| append
  [| makeresults
   | eval Risk=split("Critical,High,Medium,Low",",")
   | eval count=0
   | mvexpand Risk]
| stats sum(count) as count by Risk

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-01-2022 09:21 AM

Does this work for you?

| chart count by team vulnerability
0 Karma
Reply
Solved! Jump to solution

capilarity
Path Finder
‎08-02-2022 01:04 AM

Thanks for the suggestion.

Each dashboard reports on only one team via a dropdown option on a form, and we are counting the number of Risks per risk level so I've used:

 | chart count by Risk

From the example data I posted, this command produces the same result. I need some way of defining all 4 risk levels even though there count is zero

 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-02-2022 02:09 AM

I am curious: If you are displaying bar charts for all these teams, why the chart command only groups by Risk?

| chart over team by Risk

should populate 0 into teams where that particular Risk level is missing.  If you want teams to chart separately, you can use trellis in visualization, and split by team.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2022 01:56 AM 
| append
  [| makeresults
   | eval Risk=split("Critical,High,Medium,Low",",")
   | eval count=0
   | mvexpand Risk]
| stats sum(count) as count by Risk
0 Karma
Reply
Solved! Jump to solution

capilarity
Path Finder
‎08-02-2022 01:59 AM

PERFECT!!!

Thanks for your help

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-01-2022 08:51 AM

You may be able to use the fillnull command.  However, the way that works best for you depends on how the fields are generated so please share the SPL.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

capilarity
Path Finder
‎08-02-2022 01:29 AM

I have tried to use the fillnull command, but with no success.

Each vulnerability record contains an identifier (ID) and a risk level (Risk) 

The graph needs to show the number of each risk level where the vulnerability identifier (ID) has been reported for more than 4 weeks so the spl is:

team=teamname | stats count AS weeks by ID, Risk | where weeks>4 | chart count by Risk

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...