Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sum of field b after making multivalue fields and sort by date

chaday00
Path Finder
‎05-28-2021 08:59 AM

I have created several 'rex' expressions that parse data into their own fields and the created multivalue fields combining these into a common field. I'd like to know if it is possible to query this mutlivalue field and get the sum of a different field. 

vuln_summarythreat_valuedate
Microsoft finding a29005/28/2021
Microsoft finding a1005/28/2021
Skype finding a5005/28/2021
Windows finding a30005/28/2021
Windows finding b25005/28/2021
Linux finding a10005/28/2021
Linux finding b5005/28/2021

I've created the following rex fields that work to lumb these findings together:

 

| rex field=vuln_summary "(?<ms>^.*?(Microsoft).*?$)" 
| rex field=vuln_summary "(?<skype>^.*?(Skype).*?$)" 
| rex field=vuln_summary "(?<windows>^.*?(Windows).*?$)"
| rex field=vuln_summary "(?<linux_os>^.*?(Linux)|(linux).*?$)"

 

 Then a multivalue field that combines them into one field called 'microsoft' and similar for Linux:

 

| eval microsoft=mvappend(ms, windows, skype, rpc)
| eval linux=mvappend(linux_os, grub, bind, gnome, libpng, curl)

 

I'd like to get the sum of the 'threat_value' for the multivalue fields and other fields for a stacked bar chart by Date.  Something like below, I think: 

Datesum of TRS for microsoftsum of TRS for linuxsum of TRS for field 'x'
05/28/202190001500nnn
    
    
Labels (5)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-28-2021 10:39 AM

Perhaps this will help.  I've simplified the regular expressions, too.

...
| rex field=vuln_summary "(?<OS>Microsoft|Skype|Windows|Linux)"
| eval OS=case(OS="Microsoft" OR OS="Windows" OR OS="Skype", "Microsoft", 1==1, "Linux")
| eval _time=strptime(Date, "%m/%d/%Y")
| timechart span=1d sum(threat_value) as "Sum of TRS" by OS
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-28-2021 10:39 AM

Perhaps this will help.  I've simplified the regular expressions, too.

...
| rex field=vuln_summary "(?<OS>Microsoft|Skype|Windows|Linux)"
| eval OS=case(OS="Microsoft" OR OS="Windows" OR OS="Skype", "Microsoft", 1==1, "Linux")
| eval _time=strptime(Date, "%m/%d/%Y")
| timechart span=1d sum(threat_value) as "Sum of TRS" by OS
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...