Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trellis Search

JanetLong
Engager
‎11-29-2021 01:41 AM

Splunk's VisualizationTrellis documentation page shows example searches for things like count by sourcetype, and later shows trellis-ed visualizations for multi-value items, but there are no example searches for them. 

My data looks like this...

{
   audit: {
     audit_enabled: Compliant,  
     control_access: NotCompliant,
     firewall_on: NotCompliant, 
     etc: ... 
   }
}

I can create separate searches for each item in audit {} like this...

source=device_audit 
| stats count by audit.audit_enabled

But there are many audit items. I'd like to trellis pie charts for each audit item without creating a separate search for each. 

Is there are search I can use to trellis to produce three pie charts to show the split between compliant and notCompliant for each of the audit items (audit_enabled/control_access/firewall_on)?

Thank you. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-29-2021 02:33 AM

The part before the blank lines sets up some dummy data and should be replace with your search

| makeresults count=100
| eval _raw="{\"audit\":{\"audit_enabled\":\"".mvindex(split("Not|","|"),random()%2)."Compliant\",\"controlled_access\":\"".mvindex(split("Not|","|"),random()%2)."Compliant\",\"firewall_on\":\"".mvindex(split("Not|","|"),random()%2)."Compliant\"}}"


| spath
| fields - _raw
| untable _time audit state
| stats count by audit state

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-29-2021 02:33 AM

The part before the blank lines sets up some dummy data and should be replace with your search

| makeresults count=100
| eval _raw="{\"audit\":{\"audit_enabled\":\"".mvindex(split("Not|","|"),random()%2)."Compliant\",\"controlled_access\":\"".mvindex(split("Not|","|"),random()%2)."Compliant\",\"firewall_on\":\"".mvindex(split("Not|","|"),random()%2)."Compliant\"}}"


| spath
| fields - _raw
| untable _time audit state
| stats count by audit state
Reply
Solved! Jump to solution

JanetLong
Engager
‎11-30-2021 10:32 PM

Brilliant. Thanks... I learned a lot from picking that apart. 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...