Splunk Search

Merge fields and magic happens

dcasey
Engager

Looking for a simple approach to combine two fields into one.

Ref: ES / Audit / Incident Review Audit

There is no report/dashboard panel that has a breakdown of Open, Closed, Pending, or Resolved by Severity level. Unfortunately, I need to show how many events are OPEN and how many are CLOSED by Severity levels CRITICAL and HIGH.

Using a basic search string I can easily pull the data but forcing it to break down into a graph using the above criteria is giving me no end of trouble.

Basic search:

notable | search severity="high" OR severity="critical" NOT suppression | stats count by status_label | rename status_label as Status, severity as Severity, count as "# Events" | sort 10 - count

I want to combine Open and Pending into a single, combined field value labeled as "Open", and combine Closed and Resolved into a single field value labeled as "Closed". I then need to reflect how many Open and Closed events there are by severity levels CRITICAL and HIGH.

I would like to put it in a Column graph, with a time range of monthly since the beginning of the year.

Thoughts?

0 Karma

devin_stonecyph
Explorer
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

notable | search severity="high" OR severity="critical" NOT suppression | eval status_label=case(status_label="Open" OR status_label="Pending","Open",status_label="Closed" OR status_label="Resolved","Closed",1=1,"NA") | stats count by status_label,severity | rename status_label as Status, severity as Severity, count as "# Events" | sort 10 - count

Form month wise chart.

notable | search severity="high" OR severity="critical" NOT suppression | eval status_label=case(status_label="Open" OR status_label="Pending","Open",status_label="Closed" OR status_label="Resolved","Closed",1=1,"NA") | eval severity_status=severity.":".status_label| timechart span=1mon count by severity_status
0 Karma

somesoni2
SplunkTrust
SplunkTrust

It may be because of the "sort 10 -count" command, when its just sort in descending order by count and selects top 10 rows. What is the exact requirement here? Also, Please validate the string values within double quotes for exact value and case. Except in base search, everywhere case matters (suspecting it because of "N/A" is returned)

0 Karma

dcasey
Engager

Unfortunately, it is only showing a single set of columns (High). (HIGH:N/A). No break downs by severity or status.

I removed the severity criteria (severity="high" OR severity="critical") so that it could look at all severity levels. Wanted to shorten the window (speed up the search) so needed to ensure there were events that the query could return. Same results either way.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...