Currently, I'm pulling in the minemeld_domainthreatlist.csv lookup via the Palo Alto Splunk TA v 6.1.1.
It's working as expected, but the CSV file gets rather large (currently over 300mb) with lots of duplicate events.
Is there a way of controlling the file size? Either by time or number of similar events?
... View more
Adjust the formatting of the visualization in version 1.0.3 (or higher) which was recently uploaded to Splunkbase. For the “Use Min Percent” setting change it from Yes to No. This will disable the Min Percent setting and display all of the results from the search as slices in the Donut visualization. Depending on the data, this may result in a very noisy visualization.
Another method, which doesn't sound like it would be an option in this particular case but others may find useful, is to use the ‘top’ search function as a part of the original search. If your search is, for instance, "index=main | chart count(source) by source”, consider changing it to "index=main | chart count(source) by source|top limit=12 source”. The latter search will only display the top 12 results in the search and eliminate the OTHER slice from appearing. The limit setting must be at least 1 less than the amount of results that causes the OTHER slice to appear, so it may take some adjusting to get the OTHER slice not to appear. This will mean that you do not see the results of the lowest number of results from your search reflected in any way in the visualization, but will potentially be less noisy than eliminating the min percent setting.
Hope this helps.
... View more