Hi Splunkers,
I have events coming to Splunk Enterprise in the following JSON format:
{
ip : 1.1.1.1
mac : 010203040506
policies : {
policy_name_1 : {
rule_name_in_policy1 : {
status : Unmatched
timestamp : 15012456757
}
},
policy_name_2 : {
rule_name_in_policy2 : {
status : Matched
timestamp : 15012446751
}
},
policy_name_3 : {
rule_name_in_policy3 : {
status : Matched
timestamp : 15012456487
}
}
}
username : abstract
}
I want to create a 'matched' dashboard which shows a pie chart conveying "rule_name_in_policy1 is matched by 25 hosts, rule_name_in_policy2 is matched by 3 hosts,... and so on). To achieve this, I can roughly think of a search string that would store the rule_names in a variable_a and possibly do a "timechart count by variable_a". But I don't know how to do this. I also can't figure out how to filter out all instances of (policies.policy_name_x.rule_name_in_policyx.status=Matched).
I'm new to SPL. Can someone please help me with writing the correct search string?
↧