I would like to create a bar chart that lists the top 10 hosts with the highest count of events. But rather than have a single bar representing the count, I want a stacked bar representing the count of each unique class of event (there are five of them).
Thx.
Craig
So, what you should do is first get the top 10 hosts in a subsearch, then for those 10 get the count per class.
... [search ... | top 10 host | fields host] | top class by host
...then choose a stacked bar chart in the report builder.
Something like this ?
index=_internal series="*" | eval eps=eps*1000 | rangemap field=eps low=0-100 elevated=101-500 high=501-1000 default=severe | table series range | stats count by series range
Then you can do this in postprocess
appendpipe [ stats sum(count) as count by series | eval range="summary" ] | chart sum(count) as count over series by range useother=f | sort - summary | head 10 | fields - summary
The appendpipe sums up the counts by series only (not by range) - so you can get your 'count by host' stats.
It sticks the results at the end of the search results, distinguishing itself with 'range=summary'.
Then you mux the data up into a chart. Once you have this you can sort on 'summary' ( the total number of hits per series / hostname ) , get the top 10, and remove the summary data-series from the chart.
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
<label>eps</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="DashboardTitleBar" layoutPanel="viewHeader"/>
<module name="Message" layoutPanel="navigationHeader">
<param name="filter">splunk.search.job</param>
<param name="clearOnJobDispatch">True</param>
<param name="maxSize">1</param>
<param name="level">warn</param>
</module>
<module name="HiddenSearch" layoutPanel="panel_row1_col1" group="eps1" autoRun="True">
<param name="search">index=_internal series="*" | eval eps=eps*1000 | rangemap field=eps low=0-100 elevated=101-500 high=501-1000 default=severe | table series range | stats count by series range</param>
<module name="HiddenPostProcess">
<param name="search">appendpipe [ stats sum(count) as count by series | eval range="summary" ] | chart sum(count) as count over series by range useother=f | sort - summary | head 10 | fields - summary</param>
<module name="HiddenChartFormatter">
<param name="charting.chart">column</param>
<param name="charting.chart.stackMode">stacked</param>
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="JSChart">
<param name="width">100%</param>
</module>
</module>
</module>
</module>
</module>
</view>
John
So, what you should do is first get the top 10 hosts in a subsearch, then for those 10 get the count per class.
... [search ... | top 10 host | fields host] | top class by host
...then choose a stacked bar chart in the report builder.
Yes, makes sense - I can't think of a good solution though! The problem is that once you calculate the top 10 hosts, you've filtered out all the other field information, like severity. You could of course calculate by host AND severity, but then you'll have a problem with determining which the actual top 10 hosts are - you can easily grab the top 10 PAIRS of host and severity, but that's likely not what you want. I've no good idea right now on how to solve this in a postprocess to be honest.
The top level dashboard search is:
| inputlookup append=t vulnerabilities_lookup | rangemap field=severity Critical=5-5, High=4-4, Medium=3-3, Low=2-2, Info=0-1 | lookup cve_exploitdb cve_id OUTPUT exploitdb_id
The data fields look like:
_time,dest,hostname,domainname,protocol,dest_port,vuln_id,signature,severity,cve_id,exploitdb_id
I have multiple charts on the page that take the results from the search above and produce reports like:
Top 10 hosts (severity>=3)
For that report, I want to show the top 10 hosts (total count), but display the total in stacked bars by severity.
Make sense?
I think you need to explain more about what info you are getting from where and what your complete search look like. Using a subsearch in a postProcess can be done I guess, but will likely not have the effects you want. Subsearches are commonly used for performing some initial filtering.
Actually, I couldn't quite figure out how to implement the subsearch. I should mention this is being done in a dashboard. There is the initial search that appends data from a lookup table, performs two subsequent lookups, and then applies a rangemap to one of the fields.
I then have a PostProcess that does what I showed above. How do I apply a sub-search in that context. I tried:
[search * | top 10 dest | fields dest]
but I get an error saying subsearches only apply to commands. Then I tried
search * [search * | top 10 dest | fields dest ]
That just times out in 60 secs.
Thanks, Ayn!
This also worked:
| where severity>=3 | contingency dest,range | search NOT dest=TOTAL | sort -TOTAL | head 10 | fields dest,Medium,High,Critical