Splunk Search

How to represent good visualization with the following fields?

kirthika26
Explorer

How to represent good visualization with the following fields

DeviceID, Software Version (Eg 1.22.2222.34) , Software Version Release Date (2020-02-03 00:00:00) , Software Version last timestamp ( 2020-02-05 02:04:45) and Total_Days ( 2)

 

Total Days is the difference between Software Version Release Date and Software Version last timestamp.

 

Chart should cover all fields

 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kirthika26,

are all the information in one event or in different events from different data sources?

could you share a sample of these events, eventually one or two from each data source?

because if they are in one event, you have only to display them using table and calculating the Total Days using eval.

If instead (as I suppose) they are in different data sources I have to correlate them.

Ciao.

Giuseppe

0 Karma

kirthika26
Explorer

 

 

Attached sample gcusello.

 

all from same sources

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kirthika26,

sorry, I wasn't clear: I need some sample of the raw events in text mode, not screenshot.

Anyway, viewing your message, I suppose that you have data in a csv, did you already indexed in Splunk?

All the information seems to be in the same event, in this kind, you have only to use eval to calculate the date difference.

<your_search>
| eval Total_Days =round(strptime(timestamp,"%m/%d/%Y %H:%M")-strptime(releasetime,"%m/%d/%Y %H:%M"))/86400,2)
| table Device_ID VersionIP releasetime timestamp Total_Days
| rename 
   Device_ID AS DeviceID
   VersionIP  AS "Software Version"
   releasetime AS "Software Version Release Date"
   timestamp AS "Software Version last timestamp"
   Total_Days

remember that to compare different dates and times, you have to convert them in epochtime.

Ciao.

Giuseppe

0 Karma

kirthika26
Explorer

Hi Giuseppe ,

 

Thanks for your reply. But need help in final visualization part after table command

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kirthika26,

I renamed the columns and I rounded the Total_Days field

what else you would add in final visualization?

Ciao.

Giuseppe

0 Karma

kirthika26
Explorer

Thanks Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kirthika26,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Depending what you are trying to see I would say you could use either a sankey or a parallel coordinates custom viz.

Sankey

https://splunkbase.splunk.com/app/3112

Parallel Coordinates

https://splunkbase.splunk.com/app/3137

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...