Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Help with making dashboard as efficient as possibl...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with making dashboard as efficient as possible
fmpa_isaac
Path Finder
04-21-2020
07:49 AM
Can someone please help me make this search as efficient as possible? I am trying to make a Base ID Search and have all of the panels run off of it. One of the panels happens to be a report because I needed to accelerate it as it's a 24 hour report. Some fields are also dynamic. Have I reached a limitations or is it possible to have a Base Search and still be able to make fields and panels dynamic?
<form>
<label>Allowed Internet Traffic (Inside to Outside) 4/15</label>
<description>Source IPs are only Internal IPs.
Internal IPs excluded from the Destination.
Excludes 10.#.#.# from SrcIP</description>
<fieldset submitButton="false">
<input type="time" searchWhenChanged="true">
<label>Time:</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="SrcIP" searchWhenChanged="true">
<label>Src IP</label>
<default>*</default>
</input>
<input type="text" token="DstIP">
<label>Dst IP</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Firepower Allowed Packets</title>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | stats count</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<table>
<title>Firepower Allowed Packets Top 5 Source/Dest/Port IP</title>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by SrcIP, DstIP, Country, DstPort | sort - by count | head 5</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
<panel>
<table>
<title>Firepower Allowed Packets Top 5 Source IP</title>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by SrcIP, DstIP, Country | sort - by count | head 5</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
<row>
<panel>
<chart>
<title>Firepower Allowed Packets - 24 Hours</title>
<search ref="Firepower Allowed Internal to External Packets - 24 Hours"></search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">auto</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">minmax</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">none</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<chart>
<title>Allowed Packets by Country DestIP Top 5</title>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by Country | sort - by count | head 5</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>DstIP Country</title>
<table>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by DstIP, Country | sort + by Country -count | head 5000</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
<panel>
<title>Who is sending packets and to which Country</title>
<table>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by SrcIP, DstPort, Country | rename SrcIP to Source_IP | sort + by Country -count | head 5000</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
04-21-2020
08:36 AM
Hi @fmpa_isaac,
you should see how to use Post process Search, for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.3/Viz/Savedsearches#Post-process_searches_2.
It's also very usefule the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).
Anyway, try something like this:
<form>
<label>Allowed Internet Traffic (Inside to Outside) 4/15</label>
<description>Source IPs are only Internal IPs.
Internal IPs excluded from the Destination.
Excludes 10.#.#.# from SrcIP</description>
<fieldset submitButton="false">
<input type="time" searchWhenChanged="true">
<label>Time:</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="SrcIP" searchWhenChanged="true">
<label>Src IP</label>
<default>*</default>
</input>
<input type="text" token="DstIP">
<label>Dst IP</label>
<default>*</default>
</input>
</fieldset>
<search id="base">
<query>
index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$
</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<row>
<panel>
<single>
<title>Firepower Allowed Packets</title>
<search base="base">
<query>
| stats count
</query>
</search>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<table>
<title>Firepower Allowed Packets Top 5 Source/Dest/Port IP</title>
<search base="base">
<query>
| iplocation DstIP
| stats count by SrcIP DstIP Country DstPort
| sort -count
| head 5
</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
<panel>
<table>
<title>Firepower Allowed Packets Top 5 Source IP</title>
<search base="base">
<query>
| iplocation DstIP
| stats count by SrcIP DstIP Country
| sort -count
| head 5
</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
<row>
<panel>
<chart>
<title>Firepower Allowed Packets - 24 Hours</title>
<search ref="Firepower Allowed Internal to External Packets - 24 Hours"></search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">auto</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">minmax</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">none</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<chart>
<title>Allowed Packets by Country DestIP Top 5</title>
<search base="base">
<query>
| iplocation DstIP
| stats count by Country
| sort -count
| head 5
</query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>DstIP Country</title>
<table>
<search base="base">
<query>
| iplocation DstIP
| stats count by DstIP Country
| sort Country -count
| head 5000
</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
<panel>
<title>Who is sending packets and to which Country</title>
<table>
<search base="base">
<query>
| iplocation DstIP
| stats count by SrcIP DstPort Country
| rename SrcIP to Source_IP
| sort Country -count
| head 5000
</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
</form>
Ciao.
Giuseppe
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
