Splunk Search
Highlighted

How to use the head command with group by?

Explorer

Hi All

We are building a security toolkit that performs a number of different scans as part of the application build process when any new code is committed.
We're using Splunk for monitoring, alerting and reporting with all events generated by the security tests being indexed. We're all relative noobs.
One reporting dashboard we need to present to the security team requires us to show the security test outcome for each application across the 5 most recent builds; the output should be as per the table below:
alt text

There is an appname field in the event that can contain any number of application names. I was planning on using the head command to get the test outcomes for the 5 most recent builds for each application.
This works fine when reporting against a single application, but if I want to report against multiple applications (as per the table above) I cannot find any way to retrieve the first five results for each application. I thought it might be able possible to combine head and group by app
name but I can't find any evidence that this can be done, or any workaround.
Really appreciate any help or recommendations on how I might implement this? It's driving me to drink and you will be saving my liver 🙂
The SPL that I am currently using is below - I've specified an application name in the app_name field:

`index="osesat-dev-01" source=fluentd environment="test-b" platform_region="eu-west-1" kubernetes.pod_name="trufflehog*" OR kubernetes.pod_name="sat-ctrlr-*" app_name=sec-ref-app request_uuid="*" 
| fields - _raw 
| fields _time, request_uuid, app_name, artifact_source, artifact_branch, artifact_revision, kubernetes.pod_name
| join request_uuid [search index="osesat-dev-01" source=fluentd environment="test-b" platform_region="eu-west-1" request_uuid="*" kubernetes.pod_name="trufflehog*" OR kubernetes.pod_name="sat-ctrlr-*" result="pass" OR result="error" OR (result="fail" AND ("High Entropy count">0 OR "Keys count">0 )) 
    | fields - _raw 
    | fields _time, request_uuid, artifact_source, artifact_branch, artifact_revision, result, kubernetes.pod_name, report, "High Entropy count", "keys count"] 
| dedup artifact_revision
| head 5
| table _time, request_uuid, app_name, artifact_source, artifact_branch, artifact_revision, kubernetes.pod_name, result,  "High Entropy count", "keys count", report 
| chart values(result)  as "Test Outcome" over app_name by artifact_revision 
| rename app_name AS "Application", artifact_revision AS "Git Revision Hash"`

Thanks in advance,
Jimmy

0 Karma
Highlighted

Re: How to use the head command with group by?

SplunkTrust
SplunkTrust

Just replace | head 5 with | dedup 5 app_name. Dedup also keeps specified number of recent events for a field (default to 1i.e. most recent entry).

View solution in original post

0 Karma
Highlighted

Re: How to use the head command with group by?

Explorer

Somesoni2 - brilliant. Thanks very much! You seem to exist to help. Top man 🙂

0 Karma