Splunk Search

Grouping of data and charts

earthport2
New Member

Hi all,

I'm a beginner about Splunk and I'm studying and implementing it for the company I work.

One of the first reports I'm setting up is the number of denies that our firewalls record. I set up a search that include the name of the firewall, the host that has and how many times the denies have been recorded:

index=net host=192.168.0.1 OR host=192.168.0.1 106023 | rex "(?=[^s]*(?:src outside:|s.*src outside:))^(?:[^:\n]*:){4}(?P<denied_host>\d+\.\d+\.\d+\.\d+)" | table host denied_host | stats count(denied_host) as count by host, denied_host | sort - count

And it works, I can see the data.

The next requirement is to plot the data in a graph, a line for each firewall, and schedule a daily execution. To do this I define a data model where I set a root search, then when I create a pivot I set up the columns and the rows, but the result is always no events found. I'm not able to understand the problem. Why the

What mistake am I doing? Is this the correct way to setup what I need? I already spent 2 days on this, reading guides, searching online and I can't find a solution or I'm not able to understand what I've found.

UPDATE: I also tried a different way, but always with data models. I defined custom field extractions and used a simpler search:

index=net host=192.168.0.1 OR host=192.168.0.2 | stats count(denied_host) as count by host, denied_host

But then again, when I define a data model with denied_host as rows, host as columns and sum of count as value, I receive "no results found"

Please, bear with my lack of terminology, I'll clarify any mistake.
Thanks,
Fabrizio

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Your "table" command is eliminating all of your fields and you don't need it; also you do not need a data model to graph. Try this:

index=net host=192.168.0.1 OR host=192.168.0.1 106023 | rex "(?=[^s]*(?:src outside:|s.*src outside:))^(?:[^:\n]*:){4}(?P<denied_host>\d+\.\d+\.\d+\.\d+)" |  timechart span=1h count BY host, denied_host

View solution in original post

woodcock
Esteemed Legend

Your "table" command is eliminating all of your fields and you don't need it; also you do not need a data model to graph. Try this:

index=net host=192.168.0.1 OR host=192.168.0.1 106023 | rex "(?=[^s]*(?:src outside:|s.*src outside:))^(?:[^:\n]*:){4}(?P<denied_host>\d+\.\d+\.\d+\.\d+)" |  timechart span=1h count BY host, denied_host

earthport2
New Member

I was finally able to do what I needed:
index=net host=192.168.0.1 OR host=192.168.0.2 106023 | rex "(?=[^s]*(?:src outside:|s.*src outside:))^(?:[^:\n]*:){4}(?P&lt;denied_host&gt;\d+\.\d+\.\d+\.\d+)" | top limit=30 showperc=false denied_host by host | chart sum(count) as denies by denied_host, host | addtotals fieldname=total | sort -total | fields - total

0 Karma

earthport2
New Member

Can I run this as a scheduled report every day? Plus I don't need a time chart, on the x-axis I need denied_host, but I'll check myself in the command list

0 Karma

woodcock
Esteemed Legend

Yes, you can schedule searches such as these:

index=net host=192.168.0.1 OR host=192.168.0.1 106023 | rex "(?=[^s]*(?:src outside:|s.*src outside:))^(?:[^:\n]*:){4}(?P&lt;denied_host&gt;\d+\.\d+\.\d+\.\d+)" |  chart count BY host, denied_host
0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...