I have created several 'rex' expressions that parse data into their own fields and the created multivalue fields combining these into a common field. I'd like to know if it is possible to query this mutlivalue field and get the sum of a different field.
| vuln_summary | threat_value | date |
| Microsoft finding a | 2900 | 5/28/2021 |
| Microsoft finding a | 100 | 5/28/2021 |
| Skype finding a | 500 | 5/28/2021 |
| Windows finding a | 3000 | 5/28/2021 |
| Windows finding b | 2500 | 5/28/2021 |
| Linux finding a | 1000 | 5/28/2021 |
| Linux finding b | 500 | 5/28/2021 |
I've created the following rex fields that work to lumb these findings together:
| rex field=vuln_summary "(?<ms>^.*?(Microsoft).*?$)"
| rex field=vuln_summary "(?<skype>^.*?(Skype).*?$)"
| rex field=vuln_summary "(?<windows>^.*?(Windows).*?$)"
| rex field=vuln_summary "(?<linux_os>^.*?(Linux)|(linux).*?$)"
Then a multivalue field that combines them into one field called 'microsoft' and similar for Linux:
| eval microsoft=mvappend(ms, windows, skype, rpc)
| eval linux=mvappend(linux_os, grub, bind, gnome, libpng, curl)
I'd like to get the sum of the 'threat_value' for the multivalue fields and other fields for a stacked bar chart by Date. Something like below, I think:
| Date | sum of TRS for microsoft | sum of TRS for linux | sum of TRS for field 'x' |
| 05/28/2021 | 9000 | 1500 | nnn |
| | | | |
| | | | |
