Splunk Search & Pivot

Search

The following search pattern does this, 

• 1. read in a source

  2. create new field called NessusScan that grabs anything between underscore _ and dot

  3. add another field NessusEnv grab only capital letters

  4. search only the NYC environment data

  5. for field Risk, replace "None" with "Information"

  6. exclude any results where Risk field value is "Risk"

source = /opt/jira-maestro/plugins/nessus/csv/NYC_windows_servers.csv

index=nessus | rex field=source "(?<NessusScan>(?<=\_)(.*?)(?=\.)+)" | rex field=source "(?<NessusEnv>[A-Z]+)" | search NessusEnv=NYC | rex field=Risk mode=sed "s/None/Information/g" | where Risk !="Risk"

NessusScan = windows_servers

NessusEnv = NYC

search for several patterns, create a custom field from this search

index="bintray" source="/opt/jira-maestro/plugins/bintray_url/csv/bintray_logs.csv" | rex field=product "(?<my_product>((Product_A)|(Product_B))+)"

my_product count = 2

Pivot & Dashboard

drop down select, Bar chart displays data filtered by the drop down

<form>

  <label>Nessus</label>

  <search id="baseSearch">

    <query>| tstats count FROM datamodel=nessus_424 WHERE NessusEnv="$product_selection$"</query>

  </search>

  <description>Nessus Scans</description>

  <fieldset submitButton="false">

    <input type="time" searchWhenChanged="true" token="time_commander">

      <label>Time period</label>

      <default>

        <earliest>-7d@d</earliest>

        <latest>now</latest>

      </default>

    </input>

    <input type="dropdown" token="nessus_env" searchWhenChanged="true">

      <label>Nessus Environment</label>

      <choice value="TX">TX</choice>

      <choice value="NY">NY</choice>

      <default>TX</default>

    </input>

  </fieldset>

  <row>

    <panel>

      <title>by Severity  (Pie)</title>

      <chart>

        <title>$nessus_env$</title>

        <search>

          <query>| pivot nessus_pivot RootObject count(RootObject) AS "Count of _bWlrZS5yZWlkZXI_bWlrZS5yZWlkZXI__search__RMD5af928bdbfb291e54_at_1493054301_59023" SPLITROW Risk AS Risk SORT 6 Risk ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1 FILTER NessusEnv is "$nessus_env$"</query>

          <earliest>0</earliest>

          <sampleRatio>1</sampleRatio>

        </search>

        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>

        <option name="charting.axisTitleX.visibility">visible</option>

        <option name="charting.axisTitleY.visibility">visible</option>

        <option name="charting.axisTitleY2.visibility">visible</option>

        <option name="charting.axisX.scale">linear</option>

        <option name="charting.axisY.scale">linear</option>

        <option name="charting.axisY2.enabled">0</option>

        <option name="charting.axisY2.scale">inherit</option>

        <option name="charting.chart">pie</option>

        <option name="charting.chart.bubbleMaximumSize">50</option>

        <option name="charting.chart.bubbleMinimumSize">10</option>

        <option name="charting.chart.bubbleSizeBy">area</option>

        <option name="charting.chart.nullValueMode">gaps</option>

        <option name="charting.chart.showDataLabels">none</option>

        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>

        <option name="charting.chart.stackMode">default</option>

        <option name="charting.chart.style">shiny</option>

        <option name="charting.drilldown">all</option>

        <option name="charting.layout.splitSeries">0</option>

        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>

        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

        <option name="charting.legend.placement">right</option>

        <option name="charting.seriesColors">[0xc40f15,0xe88b00,0x0072ba,0x06991c,0xf7c42c]</option>

        <option name="height">290</option>

      </chart>

    </panel>

  </row>

</form>