I have a search that counts the vulnerabilities for a given team and places them on a Bar chart on a dashboard based on the "Risk" field to display how many Critical, High, medium or low events.
Problem I have is that not all teams have all 4 levels of vulnerabilities so the graphs look a bit rubbish. Some only have one level, others have 3 or 4 and the graphs only show the vulnerabilities that have a value
I would like to always have Critical, High, Medium AND Low on the x-axis for every team even though the value for these may be Zero.
For example, if a team has 5 Mediums, the graph only shows one bar.
How to I create a Bar chart that shows:
Critical =0
High=0
Medium =5
Low=0
Thanks
| append
[| makeresults
| eval Risk=split("Critical,High,Medium,Low",",")
| eval count=0
| mvexpand Risk]
| stats sum(count) as count by Risk
Does this work for you?
| chart count by team vulnerability
Thanks for the suggestion.
Each dashboard reports on only one team via a dropdown option on a form, and we are counting the number of Risks per risk level so I've used:
| chart count by Risk
From the example data I posted, this command produces the same result. I need some way of defining all 4 risk levels even though there count is zero
I am curious: If you are displaying bar charts for all these teams, why the chart command only groups by Risk?
| chart over team by Risk
should populate 0 into teams where that particular Risk level is missing. If you want teams to chart separately, you can use trellis in visualization, and split by team.
| append
[| makeresults
| eval Risk=split("Critical,High,Medium,Low",",")
| eval count=0
| mvexpand Risk]
| stats sum(count) as count by Risk
You may be able to use the fillnull command. However, the way that works best for you depends on how the fields are generated so please share the SPL.
I have tried to use the fillnull command, but with no success.
Each vulnerability record contains an identifier (ID) and a risk level (Risk)
The graph needs to show the number of each risk level where the vulnerability identifier (ID) has been reported for more than 4 weeks so the spl is:
team=teamname | stats count AS weeks by ID, Risk | where weeks>4 | chart count by Risk
Thanks