Splunk Search

Sum of field b after making multivalue fields and sort by date

chaday00
Path Finder

I have created several 'rex' expressions that parse data into their own fields and the created multivalue fields combining these into a common field. I'd like to know if it is possible to query this mutlivalue field and get the sum of a different field. 

vuln_summarythreat_valuedate
Microsoft finding a29005/28/2021
Microsoft finding a1005/28/2021
Skype finding a5005/28/2021
Windows finding a30005/28/2021
Windows finding b25005/28/2021
Linux finding a10005/28/2021
Linux finding b5005/28/2021

I've created the following rex fields that work to lumb these findings together:

 

| rex field=vuln_summary "(?<ms>^.*?(Microsoft).*?$)" 
| rex field=vuln_summary "(?<skype>^.*?(Skype).*?$)" 
| rex field=vuln_summary "(?<windows>^.*?(Windows).*?$)"
| rex field=vuln_summary "(?<linux_os>^.*?(Linux)|(linux).*?$)"

 

 Then a multivalue field that combines them into one field called 'microsoft' and similar for Linux:

 

| eval microsoft=mvappend(ms, windows, skype, rpc)
| eval linux=mvappend(linux_os, grub, bind, gnome, libpng, curl)

 

I'd like to get the sum of the 'threat_value' for the multivalue fields and other fields for a stacked bar chart by Date.  Something like below, I think: 

Datesum of TRS for microsoftsum of TRS for linuxsum of TRS for field 'x'
05/28/202190001500nnn
    
    
Labels (5)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Perhaps this will help.  I've simplified the regular expressions, too.

...
| rex field=vuln_summary "(?<OS>Microsoft|Skype|Windows|Linux)"
| eval OS=case(OS="Microsoft" OR OS="Windows" OR OS="Skype", "Microsoft", 1==1, "Linux")
| eval _time=strptime(Date, "%m/%d/%Y")
| timechart span=1d sum(threat_value) as "Sum of TRS" by OS
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Perhaps this will help.  I've simplified the regular expressions, too.

...
| rex field=vuln_summary "(?<OS>Microsoft|Skype|Windows|Linux)"
| eval OS=case(OS="Microsoft" OR OS="Windows" OR OS="Skype", "Microsoft", 1==1, "Linux")
| eval _time=strptime(Date, "%m/%d/%Y")
| timechart span=1d sum(threat_value) as "Sum of TRS" by OS
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...