Open in app

Sign in

Write

Sign in

Splunk Enterprise — Visualizations

Dante Mata - CyberPanda
6 min readMay 31, 2022

--

Table of Contents

  1. Preface
  2. Formatting Commands
  3. Visualize Data
  4. Maps
  5. Single Value
  6. Debrief

https://discord.com/invite/7g9PrxVcc4

1. Preface

I only made this blog in order to provide common Q&A information to anyone interested in using Splunk. It is also great as a reference. Please visit Splunk for the official learning courses

Splunk Study Guide:

Part 1

Part 2

Part 3

Splunk Enterprise — Q&A — Fields

2. Formatting Commands

using the — command will remove fields from the fields list

| fields - product price

this will remove both product and price

| fields -product price

this will only remove product as there is no space to have the minus operator also apply to price

Internal fields like _raw and _time will always be extracted but can be removed using the fields minus operator/command

| fields -_raw

field inclusion occurs before field extraction

| table the table command is similar to the field command in that specified fields are kept in your results, it is different in that it is a transforming command that retains the data in a tabulated format,

to rearrange columns, just reorder the arguments and can be combine with the field command to also only search for this specific fields being used in the table

| dedup can be used to remove duplicates from the results that share common values by adding the specified terms and can be combined with other commands to return only unique values for those fields, be sure to include many fields in order to get the desired results

| dedup price ID product

| addtotals by default will compute the sum of all numeric fields for each row and create a total column, additional variables can be used to further explain the total values with naming conventions

| field format command can be used if you want to format the appearance of values without making a change to the underlying raw data, the example overwrites the existing values in the total field by adding a dollar sign then using the tostring function to convert the numeric value to a string and supply an optional argument to format it with commas

while field format creates new field value the underlying data in the index does not change

3. Visualize Data

Any search that returns statistical values can be viewed as a chart through the visualization tab, you are able to change the visualization of data by changing the type of chart

transforming commands order search results into a data table that can be used for statistical purposes and transform search results into visualizations

  • top — finds the most common values in a result set, can be paired with limit = int, counterfield = string percentfield = string, showcount — True/False, showperc = True/False, otherstr = string, useother=true/false, can also use ‘by’ for further result preference
  • rare — has the same command options as the top command but it shows the least common values of a field set
  • stats — produces statistics, common stat functions: count, distinct count, sum, average, min, max, list, values
  • chart — can take any two clause statements over and by. over clause tells splunk which field you want to be on the x-axis, any stats function can be applied to the chart command, status on the x-axis and count on the y-axis which should always be numeric so that it can be charted, the by clause when you want to split data by an additional field and create additional columns for each specified field, only 1 value can be specified after the by modifier when using the over clause, usenull=f or false to remove any null returns, the chart command is limited to 10 columns by default, can also use useother=F/T, limit=0 and more..
  • timechart — the time chart command performs stats aggregations against time, time is always the x-axis, split data with a by clause, any stat function can be added and only 1 value after the by clause, can use span=12hr to group
  • trendline — computes moving averages of field values giving a clear understanding of how your data is trending, it requires three arguments, the trendtype: simple moving average (sma), exponential moving average(ema), and weighted moving average(wma), they comput the sum of data points over a period of time, wma and ema assign a heavier weighting to more current data points, you need to define a period of time to use for computing the trend and needs to be an integer between two and ten thousand, and of course define the field

4. Maps

Splunk includes commands that lets you pull geographic data from your machine data and visualizations to display the data in an easy-to-understand format,

Marker maps plot geographic coordinates as interactive markers on a world map and choropleth maps use shading to show relative metrics for predefined geographic regions,

| ip location command is used to lookup and add location information from a third party database to an event that include external IP addresses such as:

  • city
  • country
  • region
  • latitude
  • longitude

some location information may not be available for particular IP addresses and should be taken into consideration when searching your data, if an address is not found in the third party database such as an internal IP address no field will be added to the event,

| geostats if you are collecting geographical data you can use geostats command to aggregate the data for use on a map, uses the same functions as the stats command, use the by argument to split your data, geostats only accepts one ‘by’ argument

example to find ip address outside expected locations

choropleth maps allows us to use shading to show relative metrics over predefined locations of a map, in order to use choropleth you will need a KMZ(keyhole markup language file) that defines region boundaries, Splunk ships with two KMZ files: geo_us_states.kmz for the US and geo_countries.kmz for countries of the world but other KMZ files can be used

|geom ads a field to our events that includes geographical data structures that match polygons on our map,

pipe the results into the geom command followed by the name of the KMZ file also known as the featureCollection, a featureField argument is required, then can be displayed as a choropleth visualization in the visualization tab and polygons are rendered over the map and colors are assigned to the data points,

5. Single Value

Can be displayed as Single value and gauges, the single graph displays a single integer, formatting allows you to add caption text under the visualization, color, change format and can be combined with other commands like timechart, trellis layout allows to see individual visualizations for each of the products in single value,

the radial, filler, and marker gauges can be used with single values, can also set ranges using SPL(search processing language)

6. Debrief

I hoped this helped answer some general questions for anyone just learning Splunk. I really enjoyed doing and this and will be making more notes in the future.

Splunk
Splunk Enterprise
Cybersecurity
Siem
Visualization

--

--

Dante Mata - CyberPanda
Dante Mata - CyberPanda

Written by Dante Mata - CyberPanda

47 Followers
10 Following

Results-driven Cybersecurity Engineer with a strong foundation in offensive security, vulnerability management, and incident response.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams