Splunk Search

How to create pie charts for the top 10 firewall events based on different time ranges and fields?

WWhite
Engager

I'm just starting to experiment with some cool searches for my firewall events. I've created this customized search that will sort by src_ip and display other fields of interest in table form. I've used the time presets to create reports and dashboards for day, week, month and year.

index="main" sourcetype="syslog" | stats count by src_ip,src_port,dest_ip,dest_port,protocol,action | sort -count

I'm looking for help on creating some cool pie charts for top 10 events based on the aforementioned time frame's filtered by different criteria such as src_ip or action (pass/block).

Much appreciated!

stephane_cyrill
Builder

for the search you did you can have a pie

index="main" sourcetype="syslog" | stats count by src_ip,src_port,dest_ip,dest_port,protocol,action | sort -count|top 10

the general syntaxe of the top commande is: top top-option fiel-list [by-clause]

see Splunk Enterprise 6x Search Reference for more on the command.

0 Karma

stephane_cyrill
Builder

OK
If you are already able to make a search as you did, Producing a pie chart will be easy.

just make sur that you filter your search as you like and at the end to have the top 10 you add this:

| top limit=10 action

if you are in the splunk default search view , clic on visualization then choose pie in the dropdown menu beside format.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...