Splunk Search

How to create pie charts for the top 10 firewall events based on different time ranges and fields?


I'm just starting to experiment with some cool searches for my firewall events. I've created this customized search that will sort by src_ip and display other fields of interest in table form. I've used the time presets to create reports and dashboards for day, week, month and year.

index="main" sourcetype="syslog" | stats count by src_ip,src_port,dest_ip,dest_port,protocol,action | sort -count

I'm looking for help on creating some cool pie charts for top 10 events based on the aforementioned time frame's filtered by different criteria such as src_ip or action (pass/block).

Much appreciated!

for the search you did you can have a pie

index="main" sourcetype="syslog" | stats count by srcip,srcport,destip,destport,protocol,action | sort -count|top 10

the general syntaxe of the top commande is: top top-option fiel-list [by-clause]

see Splunk Enterprise 6x Search Reference for more on the command.

0 Karma

If you are already able to make a search as you did, Producing a pie chart will be easy.

just make sur that you filter your search as you like and at the end to have the top 10 you add this:

| top limit=10 action

if you are in the splunk default search view , clic on visualization then choose pie in the dropdown menu beside format.

0 Karma