Dashboards & Visualizations

Help with making dashboard as efficient as possible

fmpa_isaac
Path Finder

Can someone please help me make this search as efficient as possible? I am trying to make a Base ID Search and have all of the panels run off of it. One of the panels happens to be a report because I needed to accelerate it as it's a 24 hour report. Some fields are also dynamic. Have I reached a limitations or is it possible to have a Base Search and still be able to make fields and panels dynamic?

<form>
  <label>Allowed Internet Traffic (Inside to Outside) 4/15</label>
  <description>Source IPs are only Internal IPs.
Internal IPs excluded from the Destination.
Excludes 10.#.#.# from SrcIP</description>
  <fieldset submitButton="false">
    <input type="time" searchWhenChanged="true">
      <label>Time:</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="SrcIP" searchWhenChanged="true">
      <label>Src IP</label>
      <default>*</default>
    </input>
    <input type="text" token="DstIP">
      <label>Dst IP</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <title>Firepower Allowed Packets</title>
        <search>
          <query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | stats count</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="refresh.auto.interval">1180</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
    <panel>
      <table>
        <title>Firepower Allowed Packets Top 5 Source/Dest/Port IP</title>
        <search>
          <query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by SrcIP, DstIP, Country, DstPort | sort - by count | head 5</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.auto.interval">1180</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">false</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Firepower Allowed Packets Top 5 Source IP</title>
        <search>
          <query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by SrcIP, DstIP, Country | sort - by count | head 5</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.auto.interval">1180</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">false</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Firepower Allowed Packets - 24 Hours</title>
        <search ref="Firepower Allowed Internal to External Packets - 24 Hours"></search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">auto</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">none</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Allowed Packets by Country DestIP Top 5</title>
        <search>
          <query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by Country | sort - by count | head 5</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>DstIP Country</title>
      <table>
        <search>
          <query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by DstIP, Country | sort + by Country -count | head 5000</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">false</option>
      </table>
    </panel>
    <panel>
      <title>Who is sending packets and to which Country</title>
      <table>
        <search>
          <query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by SrcIP, DstPort, Country | rename SrcIP to Source_IP | sort + by Country -count | head 5000</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">false</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @fmpa_isaac,
you should see how to use Post process Search, for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.3/Viz/Savedsearches#Post-process_searches_2.
It's also very usefule the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).
Anyway, try something like this:

<form>
   <label>Allowed Internet Traffic (Inside to Outside) 4/15</label>
   <description>Source IPs are only Internal IPs.
 Internal IPs excluded from the Destination.
 Excludes 10.#.#.# from SrcIP</description>
   <fieldset submitButton="false">
     <input type="time" searchWhenChanged="true">
       <label>Time:</label>
       <default>
         <earliest>-60m@m</earliest>
         <latest>now</latest>
       </default>
     </input>
     <input type="text" token="SrcIP" searchWhenChanged="true">
       <label>Src IP</label>
       <default>*</default>
     </input>
     <input type="text" token="DstIP">
       <label>Dst IP</label>
       <default>*</default>
     </input>
   </fieldset>
   <search id="base">
    <query>
        index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$
    </query>
    <earliest>$earliest$</earliest>
    <latest>$latest$</latest>
    <sampleRatio>1</sampleRatio>
   </search>
   <row>
     <panel>
       <single>
         <title>Firepower Allowed Packets</title>
         <search base="base">
           <query>
           | stats count
           </query>
         </search>
         <option name="refresh.auto.interval">1180</option>
         <option name="refresh.display">progressbar</option>
       </single>
     </panel>
     <panel>
       <table>
         <title>Firepower Allowed Packets Top 5 Source/Dest/Port IP</title>
         <search base="base">
           <query>
                | iplocation DstIP 
                | stats count by SrcIP DstIP Country DstPort 
                | sort -count 
                | head 5
           </query>
         </search>
         <option name="count">100</option>
         <option name="dataOverlayMode">none</option>
         <option name="percentagesRow">false</option>
         <option name="refresh.auto.interval">1180</option>
         <option name="refresh.display">progressbar</option>
         <option name="rowNumbers">false</option>
         <option name="totalsRow">false</option>
         <option name="wrap">false</option>
       </table>
     </panel>
     <panel>
       <table>
         <title>Firepower Allowed Packets Top 5 Source IP</title>
         <search base="base">
           <query>
            | iplocation DstIP 
            | stats count by SrcIP DstIP Country 
            | sort -count 
            | head 5
           </query>
         </search>
         <option name="count">100</option>
         <option name="dataOverlayMode">none</option>
         <option name="percentagesRow">false</option>
         <option name="refresh.auto.interval">1180</option>
         <option name="refresh.display">progressbar</option>
         <option name="rowNumbers">false</option>
         <option name="totalsRow">false</option>
         <option name="wrap">false</option>
       </table>
     </panel>
   </row>
   <row>
     <panel>
       <chart>
         <title>Firepower Allowed Packets - 24 Hours</title>
         <search ref="Firepower Allowed Internal to External Packets - 24 Hours"></search>
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
         <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
         <option name="charting.axisTitleX.visibility">visible</option>
         <option name="charting.axisTitleY.visibility">collapsed</option>
         <option name="charting.axisTitleY2.visibility">visible</option>
         <option name="charting.axisX.abbreviation">none</option>
         <option name="charting.axisX.scale">linear</option>
         <option name="charting.axisY.abbreviation">auto</option>
         <option name="charting.axisY.scale">linear</option>
         <option name="charting.axisY2.abbreviation">none</option>
         <option name="charting.axisY2.enabled">0</option>
         <option name="charting.axisY2.scale">inherit</option>
         <option name="charting.chart">column</option>
         <option name="charting.chart.bubbleMaximumSize">50</option>
         <option name="charting.chart.bubbleMinimumSize">10</option>
         <option name="charting.chart.bubbleSizeBy">area</option>
         <option name="charting.chart.nullValueMode">gaps</option>
         <option name="charting.chart.showDataLabels">minmax</option>
         <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
         <option name="charting.chart.stackMode">default</option>
         <option name="charting.chart.style">shiny</option>
         <option name="charting.drilldown">all</option>
         <option name="charting.layout.splitSeries">0</option>
         <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
         <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
         <option name="charting.legend.mode">standard</option>
         <option name="charting.legend.placement">none</option>
         <option name="charting.lineWidth">2</option>
         <option name="refresh.display">progressbar</option>
         <option name="trellis.enabled">0</option>
         <option name="trellis.scales.shared">1</option>
         <option name="trellis.size">medium</option>
       </chart>
     </panel>
     <panel>
       <chart>
         <title>Allowed Packets by Country DestIP Top 5</title>
         <search base="base">
           <query>
            | iplocation DstIP 
            | stats count by Country 
            | sort -count 
            | head 5
           </query>
         </search>
         <option name="charting.chart">pie</option>
         <option name="charting.drilldown">none</option>
         <option name="refresh.display">progressbar</option>
       </chart>
     </panel>
   </row>
   <row>
     <panel>
       <title>DstIP Country</title>
       <table>
         <search base="base">
           <query>
            | iplocation DstIP 
            | stats count by DstIP Country 
            | sort Country -count 
            | head 5000
           </query>
         </search>
         <option name="count">100</option>
         <option name="dataOverlayMode">none</option>
         <option name="drilldown">cell</option>
         <option name="percentagesRow">false</option>
         <option name="refresh.display">progressbar</option>
         <option name="rowNumbers">false</option>
         <option name="totalsRow">false</option>
         <option name="wrap">false</option>
       </table>
     </panel>
     <panel>
       <title>Who is sending packets and to which Country</title>
       <table>
         <search base="base">
           <query>
            | iplocation DstIP 
            | stats count by SrcIP DstPort Country 
            | rename SrcIP to Source_IP 
            | sort Country -count 
            | head 5000
           </query>
         </search>
         <option name="count">100</option>
         <option name="dataOverlayMode">none</option>
         <option name="drilldown">cell</option>
         <option name="percentagesRow">false</option>
         <option name="refresh.display">progressbar</option>
         <option name="rowNumbers">false</option>
         <option name="totalsRow">false</option>
         <option name="wrap">false</option>
       </table>
     </panel>
   </row>
 </form>

Ciao.
Giuseppe

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!