https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-customize-Wazuh-gt-Overview-gt-Security-Events/m-p/432667#M53100 <P>Hi,</P> <P>Yes, you can customize or remove charts if you need to. To do that you will have to modify the Wazuh App js/html code but it's quite simple I will explain you how to do it:</P> <P>-That specific dashboard you mentioned, Wazuh -&gt; Overview -&gt; Security Events Dashboard, can be found here: <CODE>{{SPLUNK_DIR}}/etc/apps/SplunkAppForWazuh/appserver/static/js/controllers/overview/general/</CODE> in my case is <CODE>/opt/splunk/etc/apps/SplunkAppForWazuh/appserver/static/js/controllers/overview/general/</CODE><BR /> In that folder you will find 2 files:<BR /> <CODE>overviewGeneralCtrl.js</CODE> -&gt; Here you will find all chart queries used to request data to splunk<BR /> <CODE>overview-general.html</CODE> -&gt; Here you will find the HTML code that creates the view.</P> <P>-If you want to remove a chart you can do that by simply removing it from the <CODE>overview-general.html</CODE>.<BR /> For example if we want to remove "Top 5 rule groups" chart,<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7223i3F31A86C92D4C1FF/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span><BR /> We can easily find that chart doing a search by its name <CODE>Top 5 rule groups</CODE> and we will find this following <CODE>&lt;md-card &gt;...&lt;/md-card&gt;</CODE> in the <CODE>.html</CODE> file:<BR /> ```</P> <PRE><CODE> &lt;md-card flex="33" class="wz-md-card" ng-class="{'fullscreen': expandArray[3]}"&gt; &lt;md-card-content class="wazuh-column"&gt; &lt;span class="wz-headline-title"&gt;Top 5 rule groups &lt;span class="wz-text-link" style="float:right;" ng-click="expand(3,'top5ruleGroups')"&gt; &lt;wz-svg icon="expand"&gt;&lt;/wz-svg&gt; &lt;/span&gt; &lt;/span&gt; &lt;md-divider class="wz-margin-top-10"&gt;&lt;/md-divider&gt; &lt;div id='top5ruleGroups'&gt;&lt;/div&gt; &lt;/md-card-content&gt; &lt;/md-card&gt; </CODE></PRE> <P>``<CODE><BR /> So all we have to do is to remove that</CODE><MD-CARD>...</MD-CARD>` block and the chart will be removed.<BR /> Once you removed that block of code you should restart splunk (/opt/splunk/bin/splunk restart)<BR /> If after following these steps, the chart is still being shown in the dashboard, try clearing your browser cookies and cache.</P> <P>-What if we want to customize a specific chart and do a different search in it?<BR /> In your <CODE>file.html</CODE>:<BR /> 1-Change the chart title, in my case I replaced "Top 5 rule groups" with "This is an example".<BR /> 2-We will need the id of the chart in this example <CODE>id="top5ruleGroups"</CODE> in order to modify the query of that search.</P> <P>Now in your file <CODE>.js</CODE> (in this example, overviewGeneralCtrl.js), you will find the following block code containing the previous id = <CODE>'top5ruleGroups'</CODE>:<BR /> ```</P> <PRE><CODE> new PieChart( 'top5ruleGroups', `${this.filters} sourcetype=wazuh | top rule.groups{} limit=5`, 'top5ruleGroups', this.scope ), </CODE></PRE> <P><CODE><BR /> As you can see, we can know this query belongs to that chart because it has the same id `top5ruleGroups`.<BR /> The search query is `${this.filters} sourcetype=wazuh | top rule.groups{} limit=5`, so all we have to do is to replace that query after the single vertical bar (|), for example, I will change it for a dummy search by`rule.level` <BR /> </CODE></P> <PRE><CODE> new PieChart( 'top5ruleGroups', `${this.filters} sourcetype=wazuh | top rule.level limit=5`, 'top5ruleGroups', this.scope ), </CODE></PRE> <P>``<CODE><BR /> Also note that</CODE>${this.filters}` should not be modified as it applies some implicit filters to make the search over our wazuh index.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7224i868E11D6BA515D0C/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>As you can see our old "Top 5 rule groups" chart has been replaced with our "This is an example" chart and the chart is showing the top 5 rule levels.</P> <P>I hope this helps, it may be a little bit messy but if you need anything else I will be happy to help.<BR /> I also encourage you to ask or make any suggestion in our github repository (<A href="https://github.com/wazuh/wazuh-splunk">https://github.com/wazuh/wazuh-splunk</A>) if you have any question we will be glad to help.</P> <P>Regards,</P> Tue, 18 Jun 2019 14:01:17 GMT wazuh 2019-06-18T14:01:17Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-customize-Wazuh-gt-Overview-gt-Security-Events/m-p/432666#M53099 <P>Hi!</P> <P>Is it possible to customize Wazuh -&gt; Overview -&gt; Security Events Dashboard? and remove several charts?</P> <P>Do I need to modify js code?</P> Tue, 18 Jun 2019 09:00:12 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-customize-Wazuh-gt-Overview-gt-Security-Events/m-p/432666#M53099 rus7ambts 2019-06-18T09:00:12Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-customize-Wazuh-gt-Overview-gt-Security-Events/m-p/432667#M53100 <P>Hi,</P> <P>Yes, you can customize or remove charts if you need to. To do that you will have to modify the Wazuh App js/html code but it's quite simple I will explain you how to do it:</P> <P>-That specific dashboard you mentioned, Wazuh -&gt; Overview -&gt; Security Events Dashboard, can be found here: <CODE>{{SPLUNK_DIR}}/etc/apps/SplunkAppForWazuh/appserver/static/js/controllers/overview/general/</CODE> in my case is <CODE>/opt/splunk/etc/apps/SplunkAppForWazuh/appserver/static/js/controllers/overview/general/</CODE><BR /> In that folder you will find 2 files:<BR /> <CODE>overviewGeneralCtrl.js</CODE> -&gt; Here you will find all chart queries used to request data to splunk<BR /> <CODE>overview-general.html</CODE> -&gt; Here you will find the HTML code that creates the view.</P> <P>-If you want to remove a chart you can do that by simply removing it from the <CODE>overview-general.html</CODE>.<BR /> For example if we want to remove "Top 5 rule groups" chart,<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7223i3F31A86C92D4C1FF/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span><BR /> We can easily find that chart doing a search by its name <CODE>Top 5 rule groups</CODE> and we will find this following <CODE>&lt;md-card &gt;...&lt;/md-card&gt;</CODE> in the <CODE>.html</CODE> file:<BR /> ```</P> <PRE><CODE> &lt;md-card flex="33" class="wz-md-card" ng-class="{'fullscreen': expandArray[3]}"&gt; &lt;md-card-content class="wazuh-column"&gt; &lt;span class="wz-headline-title"&gt;Top 5 rule groups &lt;span class="wz-text-link" style="float:right;" ng-click="expand(3,'top5ruleGroups')"&gt; &lt;wz-svg icon="expand"&gt;&lt;/wz-svg&gt; &lt;/span&gt; &lt;/span&gt; &lt;md-divider class="wz-margin-top-10"&gt;&lt;/md-divider&gt; &lt;div id='top5ruleGroups'&gt;&lt;/div&gt; &lt;/md-card-content&gt; &lt;/md-card&gt; </CODE></PRE> <P>``<CODE><BR /> So all we have to do is to remove that</CODE><MD-CARD>...</MD-CARD>` block and the chart will be removed.<BR /> Once you removed that block of code you should restart splunk (/opt/splunk/bin/splunk restart)<BR /> If after following these steps, the chart is still being shown in the dashboard, try clearing your browser cookies and cache.</P> <P>-What if we want to customize a specific chart and do a different search in it?<BR /> In your <CODE>file.html</CODE>:<BR /> 1-Change the chart title, in my case I replaced "Top 5 rule groups" with "This is an example".<BR /> 2-We will need the id of the chart in this example <CODE>id="top5ruleGroups"</CODE> in order to modify the query of that search.</P> <P>Now in your file <CODE>.js</CODE> (in this example, overviewGeneralCtrl.js), you will find the following block code containing the previous id = <CODE>'top5ruleGroups'</CODE>:<BR /> ```</P> <PRE><CODE> new PieChart( 'top5ruleGroups', `${this.filters} sourcetype=wazuh | top rule.groups{} limit=5`, 'top5ruleGroups', this.scope ), </CODE></PRE> <P><CODE><BR /> As you can see, we can know this query belongs to that chart because it has the same id `top5ruleGroups`.<BR /> The search query is `${this.filters} sourcetype=wazuh | top rule.groups{} limit=5`, so all we have to do is to replace that query after the single vertical bar (|), for example, I will change it for a dummy search by`rule.level` <BR /> </CODE></P> <PRE><CODE> new PieChart( 'top5ruleGroups', `${this.filters} sourcetype=wazuh | top rule.level limit=5`, 'top5ruleGroups', this.scope ), </CODE></PRE> <P>``<CODE><BR /> Also note that</CODE>${this.filters}` should not be modified as it applies some implicit filters to make the search over our wazuh index.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7224i868E11D6BA515D0C/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>As you can see our old "Top 5 rule groups" chart has been replaced with our "This is an example" chart and the chart is showing the top 5 rule levels.</P> <P>I hope this helps, it may be a little bit messy but if you need anything else I will be happy to help.<BR /> I also encourage you to ask or make any suggestion in our github repository (<A href="https://github.com/wazuh/wazuh-splunk">https://github.com/wazuh/wazuh-splunk</A>) if you have any question we will be glad to help.</P> <P>Regards,</P> Tue, 18 Jun 2019 14:01:17 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-customize-Wazuh-gt-Overview-gt-Security-Events/m-p/432667#M53100 wazuh 2019-06-18T14:01:17Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-customize-Wazuh-gt-Overview-gt-Security-Events/m-p/432668#M53101 <P>Thanks a lot!</P> Wed, 19 Jun 2019 04:41:44 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-customize-Wazuh-gt-Overview-gt-Security-Events/m-p/432668#M53101 rus7ambts 2019-06-19T04:41:44Z