Dashboards & Visualizations

DHCP snooping events panel editing

null0
New Member

Hello,
i would link to obtain something similar to this

https://drive.google.com/drive/folders/1Aua9EsQDS93T8LF6oQ-9AwO9ZPS-pKkt?usp=sharing

image 1

coded as

<panel>
      <table>
        <title>Port flapping</title>
        <search>
          <query>eventtype="cisco_ios-port_down" OR eventtype="cisco_ios-port_up"  AND

HOST IPs...

| stats count,latest(port_status) AS port_status by host,src_interface | sort -count | table host,src_interface,port_status,count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <refresh>5m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">heatmap</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">search?q=eventtype="cisco_ios-port_down" OR eventtype="cisco_ios-port_up" | stats count,latest(port_status) AS port_status by host,src_interface | sort -count | table host,src_interface,port_status,count&amp;earliest=rt-1h&amp;latest=rt</link>
        </drilldown>
      </table>
    </panel>

but with datas visible in DHCP snooping panel of Cisco App
like this

https:// drive.google.com /drive /folders /1Aua9EsQDS93T8LF6oQ-9AwO9ZPS-pKkt?usp=sharing image 2

coded as

    <panel>
      <table>
        <title>DHCP snooping events</title>
        <search>
          <query>eventtype="cisco_ios-dhcp_snooping" | table _time host facility mnemonic src_int src_vlan src_mac src_ip dest_mac dest_ip message_type num_packets</query>
        </search>
        <option name="count">20</option>
        <option name="displayRowNumbers">true</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
by now i've done this

https:// drive.google.com /drive /folders /1Aua9EsQDS93T8LF6oQ-9AwO9ZPS-pKkt?usp=sharing image 3

coded as

<panel>
      <table>
        <title>DHCP snooping events</title>
        <search>
          <query>

eventtype="cisco_ios-dhcp_snooping"

| stats count,latest(num_packets) by host

| sort -num_packets

| table host mnemonic src_int src_vlan src_ip dest_ip message_type count

</query>


        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">heatmap</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">search?q=eventtype="cisco_ios-dhcp_snooping"

| stats count,latest(num_packets) by host

| sort -num_packets

| table host mnemonic src_int src_vlan src_ip dest_ip message_type count</link>
        </drilldown>
      </table>
    </panel>

as you can see the result is not the same, what i'm doing wrong?

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@null0,

Somehow the images are not visible. However in your last section of search, you are doing a stats which restricts your fields to count,latest(num_packets) and host . So the fields what you mention in the table, mnemonic src_int src_vlan src_ip dest_ip message_type will not be available in the output

eventtype="cisco_ios-dhcp_snooping" | stats count,latest(num_packets) by host | sort -num_packets | table host mnemonic src_int src_vlan src_ip dest_ip message_type count

So either you need to add those fields to stats command or use eventstats. Also use latest(field_name) as field_name to retain the original field names.

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@null0,

Somehow the images are not visible. However in your last section of search, you are doing a stats which restricts your fields to count,latest(num_packets) and host . So the fields what you mention in the table, mnemonic src_int src_vlan src_ip dest_ip message_type will not be available in the output

eventtype="cisco_ios-dhcp_snooping" | stats count,latest(num_packets) by host | sort -num_packets | table host mnemonic src_int src_vlan src_ip dest_ip message_type count

So either you need to add those fields to stats command or use eventstats. Also use latest(field_name) as field_name to retain the original field names.

View solution in original post

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!