Solved: Chronicle Dashboards: How to add multiple addition...

stosh-malec

I have logs ingested with a custom parser that sets the following fields in one log.

additional.value["appmetadata.timems"] = "a string"
additional.value["appmetadata.name"] = "a string"

Appmetadata.timems must be converted to a number. Appmetadata.name must contain "job-success".

I would like to create a dashboard that shows a graph of Appmetadata.timems values over time. I would also like to see appmetadata.name values when hovering over a point in the line graph.

I am struggling to use custom fields as column headers when attempting to pull in more than on additional.field.value, what is the proper way for me to create this visualization?

AymanC

Hi @stosh-malec

How about using 'Add' within 'Custom Fields', selecting 'Custom Measure', and using the below conditions replicating it per Key.:

Kind Regards,

Ayman

View solution in original post

dnehoda

Are you using Looker or Native Dashboards?

I am guessing Looker. If you do not have Native Dashboards enabled - we will want to get that setup through the account team or support. I bet you can get what you are looking for there. I will investigate as well but I currently cannot - I need to do a little research for those fields.

stosh-malec

I believe this would be the native dashboarding tool that I am using while it does say powered by Looker in the bottom left.

AymanC

Hi @stosh-malec

How about using 'Add' within 'Custom Fields', selecting 'Custom Measure', and using the below conditions replicating it per Key.:

Kind Regards,

Ayman

dnehoda

Thats looker dashboarding. The native dashboards use Yara-L.

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

Chronicle Dashboards: How to add multiple additional.fields as column headers?