How to create pie charts for the top 10 firewall e...

WWhite · ‎10-05-2014

I'm just starting to experiment with some cool searches for my firewall events. I've created this customized search that will sort by src_ip and display other fields of interest in table form. I've used the time presets to create reports and dashboards for day, week, month and year.

index="main" sourcetype="syslog" | stats count by src_ip,src_port,dest_ip,dest_port,protocol,action | sort -count

I'm looking for help on creating some cool pie charts for top 10 events based on the aforementioned time frame's filtered by different criteria such as src_ip or action (pass/block).

Much appreciated!

stephane_cyrill · ‎12-12-2014

for the search you did you can have a pie

index="main" sourcetype="syslog" | stats count by src_ip,src_port,dest_ip,dest_port,protocol,action | sort -count|top 10

the general syntaxe of the top commande is: top top-option fiel-list [by-clause]

see Splunk Enterprise 6x Search Reference for more on the command.

stephane_cyrill · ‎12-12-2014

OK
If you are already able to make a search as you did, Producing a pie chart will be easy.

just make sur that you filter your search as you like and at the end to have the top 10 you add this:

| top limit=10 action

if you are in the splunk default search view , clic on visualization then choose pie in the dropdown menu beside format.

How to create pie charts for the top 10 firewall events based on different time ranges and fields?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...