Splunk Search

How to combine the outputs of two searches and display them in a chart?

evang_26
Communicator

Hi users,

I am trying to combine the outputs of two different searches and stack them in a chart.

The idea is to find the most popular IPs in my network based on vulnerability severity high OR critical, and then chart each popular IP with its respective number of vulns (high OR critical).

Here is how I started dealing with this:

sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now| top 5 severity,dest_ip|chart sum(count) by dest_ip,severity

However, the above lists only IPs with severity==high because there are more high vulns for all of the IPs.

Bearing the above in mind, and hoping that I can still list the most popular IPs (total of high + critical vulns for each IP), I thought combining searches, that is have one to find the most popular IPs (high + critical) and then somehow instruct the other search to take from the listed previously IPs and list how many critical vulns. Below is the attempt:

|set union [search sourcetype=nessus severity=high OR severity=critical  earliest=-30d@mon latest=now| top 5 severity,dest_ip|chart sum(count) by dest_ip,severity] [search sourcetype=nessus severity=critical OR severity=high earliest=-30d@mon latest=now| top 5 severity,dest_ip|  where severity=critical| chart sum(count) by dest_ip,severity]

However, the above lists again only machines with high vulns. Critical ones are missing.

Could anyone help?

Regards,
Evang

Tags (3)
1 Solution

lguinn2
Legend

Try this approach:

sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now
| chart count by dest_ip severity
| sort -high 
| streamstats count as rank_high
| sort -critical
| streamstats count as rank_critical
| where rank_high <= 10 OR rank_critical <=10
| fields - rank_high rank_critical
| addcoltotals high critical
| sort -total

This approach uses sorting plus streamstats to identify the top IPs based on high severity, plus the top based on critical severity. The where command keeps the top 10 in both groups. If you show this as a graphic chart, you may want to eliminate the last 2 lines, which calculates an overall total of the two categories.

This should give you no more than 20 IPs in the resulting chart.

View solution in original post

lguinn2
Legend

Try this approach:

sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now
| chart count by dest_ip severity
| sort -high 
| streamstats count as rank_high
| sort -critical
| streamstats count as rank_critical
| where rank_high <= 10 OR rank_critical <=10
| fields - rank_high rank_critical
| addcoltotals high critical
| sort -total

This approach uses sorting plus streamstats to identify the top IPs based on high severity, plus the top based on critical severity. The where command keeps the top 10 in both groups. If you show this as a graphic chart, you may want to eliminate the last 2 lines, which calculates an overall total of the two categories.

This should give you no more than 20 IPs in the resulting chart.

evang_26
Communicator

That worked!

Thank you very much indeed lguinn.

Hope some day I'll be able to help guys like me in the future!

Regards,
Evang

lguinn2
Legend

Try this:

sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now
| chart count by dest_ip severity
| sort -high
| streamstats count as rank_high
| sort -critical
| streamstats count as rank_critical
| where rank_high <= 10 OR rank_critical <=10
| fields - rank_high rank_critical

It is a little complex! You really are combining two independent "Top Tens" - one based on critical severity and the other based on high severity. You could do this with other commands like join or append but this approach should be much more efficient and work with large data sets.

evang_26
Communicator

Hi tom_frotscher,

I tried with both of them,

| fields dest_ip critical high
| table dest_ip critical high

It didn't worked. I tried also with a fieldnull, same thing.

Regards,
Evang

0 Karma

tom_frotscher
Builder

I think what Iguinn meant was to delete the last two lines of the search string that was posted. Because this just calculates the totals of the columns.

If you just want to keep certain fields, use the table or fields command after your search to achieve this. For example:

... | table dest_ip critical high
0 Karma

evang_26
Communicator

Hi lguinn,

Wow, that worked amazingly!

However, I haven't thought that it would be that (let's say ) advanced, using streamstats and staff. I'll keep that script though in my one-note to be processed for future queries.

One more question though, how to eliminate 2 lines as you say? I am attempting to keep only dest_ip, critical and high fields but it doesn't work.

Regards,
Evang

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...