Splunk Search

How do I plot events returned from my search on a scatter graph over time?

SecureIA
Path Finder

Hi helpful people,

I wish to plot login events on a scatter graph. I would like to show when logins have occurred and on what host. (preferably color can symbolize a certain host if that is possible). Here is my search below:

host=??? NOT host=??? NOT host=??? NOT username=??? NOT username=??? NOT username=??? NOT username=??? "new session"

This search returns all the login events, but I cannot seem to understand how to use the scatter graphs in Splunk.

Any help would be truly appreciated.

0 Karma

jplumsdaine22
Influencer

Hello,

Welcome to splunk. If you have not already done so I highly recommend going through the search tutorial. It will take you a few hours but you will learn a great deal! http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchTutorial/WelcometotheSearchTutorial

First up your search has some redundant terms. Because you have a positive term for host, there is no need to specify NOT host, as host can only have a single value. I would write it like this:

 host=??? AND "new session" NOT (username=??? OR username=??? OR username=??? OR username=???) 

In this case, to generate data for the visualisation yu will need a reporting command. Lets say your events contain a field called foo, then your search should be something like this:

 host=??? AND "new session" NOT (username=??? OR username=??? OR username=??? OR username=???)  | stats count(foo) by username

Then when you select the visualization tab your scatter plot should populate. Your actual reporting search will depend on what data you have and how you want to present it - as I said if you do the search tutorial it will show you what to do.

0 Karma

SecureIA
Path Finder

I have read much of it and I am becoming more and more familiar with Splunk with each passing week. Trouble is that I have never been able to successfully implement an idea on a scatter graph.

The main issue I'm having is that I'm trying to plot against time. Therefore, may I ask whether a timechart be more suitable?

0 Karma

JMichaelis
Path Finder

In this case a timechart would be better, for example:
| timechart span=1h count(foo)
if you want to plot all events with the field foo each hour or
| timechart span=1h count(foo) by username
if you want to see a line for each username.

jplumsdaine22
Influencer

Yep do what @JMichaelis said - you should get the results you're after.

See http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Timechart for more specifics

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...