I have query results that look like this: Risk Age Total High gt30 16 High gt60 3 High gt90 184 Low gt30 4 Low gt60 42 Low gt90 84 I want it to be in this X-Y table format where X is Age and Y is Risk: And note that there is no result for Med risk, but that has to be accounted for in the end formatted table as zeroes. How the Splunk do I get that to happen? Alternatively, I can get the results in this form, with zeroes for Med: But then, how do you convert that into the desired X-Y table format? ... View more

When I attempt to drilldown from a dashboard (line) chart to another dashboard (form), it seems like the parameter is not being passed on. The chart is pretty simple, the query for it ends with: ... | table "Month" "NonCompliant" So the X axis is each month and the Y axis is a count of NonCompliant things. The drilldown is set as: <link target="_blank">/app/splunk_app_sa/noncompliants_for_period?thePeriod="$click.value$"</link> </drilldown> The idea is when I click on a node on that chart (say, for month 09/2018), that “09/2018” should get passed to the other dashboard as “thePeriod”. The other dashboard, which works fine if you enter "thePeriod" manually, has: <input type="text" token="thePeriod"> <label>For Period (mm/yyyy)</label> </input> Clicking on the month node does bring up the other dashboard, but without providing the clicked-on month parameter. I have tried “$click.name$”, "$click.value$", “$row.Month$”, etc, with and without quotes... Any ideas? ... View more

I do a search query where one of the fields returned has semicolon-separated values. For example, "Alpha;Beta;delta". The field sometimes has a large number of values, and the last one ends with dot-dot-dot, for example: ";blue;red..." I know from the source feeding this that the field has more values than are being shown in Splunk. So I think Splunk is just truncating and not showing the rest of the values. Is it possible to get the full amount of data, or is that being truncated at the point of the feed? Is there a solution to this? ... View more

Goal is to determine, from specific vulnerabilities found in scans, the percentage that have been ‘fixed’, meaning they are not found in the latest scans. So first we get the vulns for all time, then check the ones related to the latest scans. So alltime – latest = fixed. And fixed / alltime * 100 = percentage fixed. The search/query takes way too long. How to speed it up? Here is the approach. sourcetype=alpha | eval comment=”the above gets the results of the scans All Time” | eval comment=”cve is multivalue field, so split it up so we can lookup a specific CVE” | makemv delim=";" cve | mvexpand cve | rename cve AS CVE | eval comment=”now just look at the ones we care about” | join CVE [|inputlookup PriorityCVE.csv] | eval comment=”label these as ‘alltime’” | eval ReportKey="alltime" | eval comment=”now get the scans representing the latest info” | append [search sourcetype=alpha | makemv delim=";" cve | mvexpand cve | rename cve AS CVE | join CVE [|inputlookup PriorityCVE_test.csv] | eval comment=”last_scan_finished is in terms of date not granularity of _time” | convert timeformat="%F" ctime(_time) AS CurScan | eval comment=”the beta source has events over time with last_scan_finished per asset” | join asset_id, CurScan [search sourcetype=beta | dedup asset_id last_scan_finished | fields asset_id last_scan_finished | sort 0 - last_scan_finished | dedup asset_id | convert timeformat="%Y-%m-%d %H:%M:%S.%Q" mktime(last_scan_finished) AS LastScanTmp | convert timeformat="%F" ctime(LastScanTmp) AS CurScan | fields asset_id CurScan] | eval comment=”label those that match the last_scan_finished date as ‘nowtime’” | eval ReportKey="nowtime” | table asset_id CVE ReportKey | eval comment=“get counts” | stats values(ReportKey) as ReportKey by asset_id CVE | eval comment=”if you only have the alltime label, you have been fixed” | eval status=case(mvcount(ReportKey)=2, "Persistent", ReportKey="alltime", "Fixed", true(), "New") | eval comment=”(since all scans are in alltime, there should be no ‘new’)” | eval comment=”need to get the counts into variables for the equation” | stats count AS stots BY status | fields stots | mvcombine delim="," stots | nomv stots | rex field=stots "(?<tot_fix>.),(?<tot_persist>.)" | eval comment=”now do the calculation” | eval progress=(tot_fix / (tot_fix + tot_persist)) * 100 | table progress I also tried an approach that put the last_scan_finished per asset in a lookup table, avoiding the redundant search, but that did not speed it up much (and would introduce the need to keep updating a lookup table). Ideas? ... View more

I want a rolling 12 month bar chart. I have a lookup file (flagcve.csv) as follows. CVE,ReleaseDate CVE-2017-0144, 03/14/17 CVE-2017-0145, 03/14/17 CVE-2017-0199, 04/10/17 CVE-2017-5689, 05/01/17 CVE-2017-5715, 01/03/18 I have this search/query. |inputlookup flagcve.csv | convert timeformat="%m/%d/%y" mktime(ReleaseDate) AS _time | timechart bins=12 span=1mon count(CVE) I get this result. 2017-03 2 2017-04 1 2017-05 1 2017-06 0 2017-07 0 2017-08 0 2017-09 0 2017-10 0 2017-11 0 2017-12 0 2018-01 1 That's almost what I want. But if this is January, it should go back to 2017-02. If this is Feb 2018, and no change is made to the file, it should be 2017-03 2 2017-04 1 2017-05 1 2017-06 0 2017-07 0 2017-08 0 2017-09 0 2017-10 0 2017-11 0 2017-12 0 2018-01 1 2018-02 0 Whereas if a change was made to the file (such as CVE-2017-6666 02/15/18 was added), it would have the proper count (1 in this case) for 2018-02 instead of 0. Ideas? ... View more

I have this search: index=alpha asset_id=100 | timechart span=1mon latest(score) by asset_id This gives me a chart with data in some months, but for months without data, blanks. What I want is the latest value (score) as is seen by any given month, up to that time. And the chart would have the latest 6 months. So given these months and data: 2-2017 : 1 3-2017 : 2 4-2017 : 3 5-2017 : no data 6-2017 : 4 7-2017 : no data 8-2017 : 6 9-2017 : no data 10-2017 : 7 11-2017 : no data 12-2017 : no data The chart I want to end up with is: 7-2017 : 4 8-2017 : 6 9-2017 : 6 10-2017 : 7 11-2017 : 7 12-2017 : 7 suggestions? ... View more