cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
nehashanker
Explorer
Member since: ‎10-06-2021
‎03-16-2022
Community Statistics
Posts 14
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎10-06-2021
Activity Feed
View All

How to modify concatenate and split?

by in Dashboards & Visualizations
‎03-16-2022 11:53 AM
‎03-16-2022 11:53 AM
Hi All,  I have the below query which gives the columns : Name.    Count.    Percentage.    ControlID   | spath evaluation_results | search gear_name | spath input=evaluation_results | foreach *.compliant [| eval Compliance=if('<<FIELD>>'="Compliant",if(isnull(Compliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',mvappend(Compliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion')),Compliance) | eval NonCompliance=if('<<FIELD>>'="Compliant",NonCompliance,if(isnull(NonCompliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlID',mvappend(NonCompliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion')))] | top 50 NonCompliance | eval controlVersion=mvindex(split(NonCompliance,":"),1) | eval NonCompliance=mvindex(split(NonCompliance,":"),0) | rename NonCompliance as "Name"   I have modified the above query to add a new column which shows RiskRating.    | spath evaluation_results | search gear_name | spath input=evaluation_results | foreach *.compliant [| eval Compliance=if('<<FIELD>>'="Compliant",if(isnull(Compliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating',mvappend(Compliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',mvappend(Compliance,"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating')),Compliance) | eval NonCompliance=if('<<FIELD>>'="Compliant",NonCompliance,if(isnull(NonCompliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlID',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating',mvappend(NonCompliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating')))] | top 50 NonCompliance | eval controlVersion=mvindex(split(NonCompliance,":"),1) | eval riskRating=mvindex(split(NonCompliance,":"),2) | eval NonCompliance=mvindex(split(NonCompliance,":"),0) | rename NonCompliance as "Name"   Unfortunately the query doesn't execute. Can someone please help with where I got it wrong and what needs to be modified? The output columns should show as below: Name.    Count.    Percentage.    ControlID.    Risk Rating. Below is my raw source   | makeresults | eval _raw="{\"job_id\": \"abc123\", \"gear_event_id\": \"aaaa\", \"event_id\": \"7cf6-4ff0\", \"execution_start\": \"2021-10-06 13:29:31.143\", \"execution_end\": \"2021-10-06 13:29:50.104\", \"gear_version\": \"3.0.16\",\"gear_name\": \"sns\", \"resource_type\": [\"sns_topic\"], \"event_status\": \"SUCCESS\", \"compliance_result\": \"Compliant\", \"evaluation_results\": {\"Tags\": {\"compliant\": \"Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"\", \"riskRating\": \"Low\"}, \"Tags\": {\"compliant\": \"Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"not approved\", \"riskRating\": \"Low\"}, \"correlation_id\": \"4362-47fb\", \"service\": \"biosevent\", \"timestamp\": \"2021-10-06 13:29:31.143\", \"version\": \"3.0.16\", \"duration\": 18.961}}"   ... View more
Labels

Re: Dashboard to show top non-compliance controls

by in Dashboards & Visualizations
‎02-17-2022 03:17 AM
‎02-17-2022 03:17 AM
@ITWhisperer Just checking to see if you had a chance to see the query on why the query to add another column to show RiskRating is not working. | spath evaluation_results | spath gear_name | spath input=evaluation_results | foreach *.compliant [| eval Compliance=if('<<FIELD>>'="Compliant",if(isnull(Compliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating', mvappend(Compliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating')),Compliance) | eval NonCompliance=if('<<FIELD>>'="Compliant",NonCompliance,if(isnull(NonCompliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating', mvappend(NonCompliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating')))] | top NonCompliance | eval controlVersion=mvindex(split(NonCompliance,":"),1) | eval riskRating=mvindex(split(NonCompliance,":"),2) | eval NonCompliance=mvindex(split(NonCompliance,":"),0) ... View more

Re: Dashboard to show top non-compliance controls

by in Dashboards & Visualizations
‎02-08-2022 03:42 AM
‎02-08-2022 03:42 AM
Sorry, I was getting repetitive count of some of the values. That seems to be an error in the data. However, I tried adding a new column and modified the query which you had sent, but seems to be throwing an error. The intention is to show 'Risk Rating'. | spath evaluation_results | spath gear_name | spath input=evaluation_results | foreach *.compliant [| eval Compliance=if('<<FIELD>>'="Compliant",if(isnull(Compliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating', mvappend(Compliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating')),Compliance) | eval NonCompliance=if('<<FIELD>>'="Compliant",NonCompliance,if(isnull(NonCompliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating', mvappend(NonCompliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating')))] | top NonCompliance | eval controlVersion=mvindex(split(NonCompliance,":"),1) | eval riskRating=mvindex(split(NonCompliance,":"),2) | eval NonCompliance=mvindex(split(NonCompliance,":"),0)   ... View more

Re: Dashboard to show top non-compliance controls

by in Dashboards & Visualizations
‎01-13-2022 09:31 AM
‎01-13-2022 09:31 AM
That may not be the case. All the run's have controlVersion.  ... View more

Re: Dashboard to show top non-compliance controls

by in Dashboards & Visualizations
‎01-13-2022 07:40 AM
‎01-13-2022 07:40 AM
Thank you so much for your response. I didn't know that we should concatenate first and then split. This worked, but I am seeing duplicate values (only count and percentages).  ... View more

Re: Dashboard to show top non-compliance controls

by in Dashboards & Visualizations
‎01-12-2022 08:33 PM
‎01-12-2022 08:33 PM
Sorry for the confusion. I want to display the controlVersion along with the name of the control.  current output: NonCompliance(Name)          Count         percentage   Expected output: NonCompliance(Name)          Count         percentage          controlVersion ... View more

Re: Dashboard to show top non-compliance controls

by in Dashboards & Visualizations
‎01-12-2022 02:20 PM
‎01-12-2022 02:20 PM
@ITWhisperer  Sorry for opening the old thread again.  how can I add a new column - gear_name for the below input: I tried tweaking your query to add a new column but no success. So thought I will ask on this thread again.  | makeresults | eval _raw="{\"job_id\": \"abc123\", \"gear_event_id\": \"aaaa\", \"event_id\": \"7cf6-4ff0\", \"execution_start\": \"2021-10-06 13:29:31.143\", \"execution_end\": \"2021-10-06 13:29:50.104\", \"gear_version\": \"3.0.16\",\"gear_name\": \"sns\", \"resource_type\": [\"sns_topic\"], \"event_status\": \"SUCCESS\", \"compliance_result\": \"Compliant\", \"evaluation_results\": {\"Required_Tags\": {\"compliant\": \"Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"\", \"riskRating\": \"Low\"}, \"Valid_ASV_BA_Tags\": {\"compliant\": \"Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"Neither the ASV nor BA tag values(case sensitive) were found on the approved list.\", \"riskRating\": \"Low\"}, \"check_in_transit_encryption\": {\"compliant\": \"Non-Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"\", \"riskRating\": \"Medium\" }, \"correlation_id\": \"4362-47fb\", \"service\": \"biosevent\", \"timestamp\": \"2021-10-06 13:29:31.143\", \"version\": \"3.0.16\", \"duration\": 18.961}}"   ... View more

Re: Dashboard to show top non-compliance controls

by in Dashboards & Visualizations
‎10-08-2021 05:16 AM
1 Karma
‎10-08-2021 05:16 AM
1 Karma
Thank you so so much. I just tried it out and gave the exact visualization I was looking for! ... View more

Re: Dashboard to show top non-compliance controls

by in Dashboards & Visualizations
‎10-07-2021 04:22 AM
‎10-07-2021 04:22 AM
That is definitely a copy/paste error of using notes. ... View more

Re: Dashboard to show top non-compliance controls

by in Dashboards & Visualizations
‎10-07-2021 04:03 AM
‎10-07-2021 04:03 AM
Here is the response by using | table_raw   {“job_id": “abc123”, "gear_event_id": “aaaa”, "event_id": "7cf6-4ff0", "execution_start": "2021-10-06 13:29:31.143", "execution_end": "2021-10-06 13:29:50.104", "gear_version": "3.0.16", "resource_type": ["sns_topic"], "event_status": "SUCCESS", "compliance_result": "Compliant", “evaluation_results": {"Required_Tags": {"compliant": "Compliant", "controlVersion": "1.0", "evaluationDetails": "", "riskRating": "Low",}, "Valid_ASV_BA_Tags": {"compliant": "Compliant", "controlVersion": "1.0", "evaluationDetails": "Neither the ASV nor BA tag values(case sensitive) were found on the approved list.", "riskRating": "Low","}, "check_in_transit_encryption": {"compliant": "Compliant", "controlVersion": "1.0", "evaluationDetails": "", "riskRating": "Medium", }, "correlation_id": "4362-47fb", "service": “biosevent", "timestamp": "2021-10-06 13:29:31.143", "version": "3.0.16", "duration": 18.961} ... View more

Re: Dashboard to show top non-compliance controls

by in Dashboards & Visualizations
‎10-07-2021 03:41 AM
‎10-07-2021 03:41 AM
@ITWhisperer Sorry for incorrectly mentioning it as json. But the above format is exactly how I get the data. ... View more

Re: Dashboard to show top non-compliance controls

by in Dashboards & Visualizations
‎10-07-2021 03:29 AM
‎10-07-2021 03:29 AM
additional_metrics: { [+] } event_id: abc123 eval_results: { [+] } compliance_result: Non-Compliant timestamp: 2021-10-07 16:27:48.523 version: jpltest Upon expanding eval_results - eval_results: { [-] Required_Tags: { [+] } Valid_ASV_BA_Tags: { [+] } check_in_transit_encryption: { [+] } } Upon expanding each of the following sections - Required_Tags: { [-] compliant: Compliant controlVersion: 1.0 evaluationDetails: riskRating: Low } Valid_ASV_BA_Tags: { [-] compliant: Non-Compliant controlVersion: 1.0 evaluationDetails: Neither the ASV nor BA tag values(case sensitive) were found on the approved list. riskRating: Low } check_in_transit_encryption: { [-] compliant: Compliant controlVersion: 1.0 evaluationDetails: riskRating: Medium } @ITWhisperer Thanks for looking into the issue. Pasted above is the raw event. The event is in json format, which I have got by searching on index name. ... View more

Dashboard to show top non-compliance controls

by in Dashboards & Visualizations
‎10-06-2021 03:19 PM
‎10-06-2021 03:19 PM
Greetings All, I am very new to splunk and am creating a dashboard to show top non-compliances. For the below data, I want to display top non-compliant controls (example output also mentioned below) Could anyone please let me know how can I write a search query for the same? Thanks in advance.   Event_ID: abc1 Compliance_result: Non-Compliant Eval_results: { required_tags: { compliance: Compliant } encryption_enabled:{ compliance: Non-Compliant } public_access:{ compliance: Compliant } policy_enabled:{ compliance: Compliant } }   Event_ID: abc2 Compliance_result: Non-Compliant Eval_results: { required_tags: { compliance: Compliant } encryption_enabled:{ compliance: Non-Compliant } public_access:{ compliance: Non-Compliant } policy_enabled:{ compliance: Compliant } }   Generate Table in the below format -   Top Non Compliance controls: public_access - 2 encryption_enabled -1   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-16-2022 05:29 PM
Karma from
View All