I'm just starting to experiment with some cool searches for my firewall events. I've created this customized search that will sort by src_ip and display other fields of interest in table form. I've used the time presets to create reports and dashboards for day, week, month and year.
index="main" sourcetype="syslog" | stats count by src_ip,src_port,dest_ip,dest_port,protocol,action | sort -count
I'm looking for help on creating some cool pie charts for top 10 events based on the aforementioned time frame's filtered by different criteria such as src_ip or action (pass/block).
Much appreciated!
for the search you did you can have a pie
index="main" sourcetype="syslog" | stats count by src_ip,src_port,dest_ip,dest_port,protocol,action | sort -count|top 10
the general syntaxe of the top commande is: top top-option fiel-list [by-clause]
see Splunk Enterprise 6x Search Reference for more on the command.
OK
If you are already able to make a search as you did, Producing a pie chart will be easy.
just make sur that you filter your search as you like and at the end to have the top 10 you add this:
| top limit=10 action
if you are in the splunk default search view , clic on visualization then choose pie in the dropdown menu beside format.