Looking for a simple approach to combine two fields into one.
Ref: ES / Audit / Incident Review Audit
There is no report/dashboard panel that has a breakdown of Open, Closed, Pending, or Resolved by Severity level. Unfortunately, I need to show how many events are OPEN and how many are CLOSED by Severity levels CRITICAL and HIGH.
Using a basic search string I can easily pull the data but forcing it to break down into a graph using the above criteria is giving me no end of trouble.
Basic search:
notable
| search severity="high" OR severity="critical" NOT suppression
| stats count by status_label | rename status_label as Status, severity as Severity, count as "# Events" | sort 10 - count
I want to combine Open and Pending into a single, combined field value labeled as "Open", and combine Closed and Resolved into a single field value labeled as "Closed". I then need to reflect how many Open and Closed events there are by severity levels CRITICAL and HIGH.
I would like to put it in a Column graph, with a time range of monthly since the beginning of the year.
Thoughts?
The top answer in this thread worked for me.
http://answers.splunk.com/answers/49394/merge-two-fields-into-one-field
Try this
notable | search severity="high" OR severity="critical" NOT suppression | eval status_label=case(status_label="Open" OR status_label="Pending","Open",status_label="Closed" OR status_label="Resolved","Closed",1=1,"NA") | stats count by status_label,severity | rename status_label as Status, severity as Severity, count as "# Events" | sort 10 - count
Form month wise chart.
notable | search severity="high" OR severity="critical" NOT suppression | eval status_label=case(status_label="Open" OR status_label="Pending","Open",status_label="Closed" OR status_label="Resolved","Closed",1=1,"NA") | eval severity_status=severity.":".status_label| timechart span=1mon count by severity_status
It may be because of the "sort 10 -count" command, when its just sort in descending order by count and selects top 10 rows. What is the exact requirement here? Also, Please validate the string values within double quotes for exact value and case. Except in base search, everywhere case matters (suspecting it because of "N/A" is returned)
Unfortunately, it is only showing a single set of columns (High). (HIGH:N/A). No break downs by severity or status.
I removed the severity criteria (severity="high" OR severity="critical") so that it could look at all severity levels. Wanted to shorten the window (speed up the search) so needed to ensure there were events that the query could return. Same results either way.