Can someone please help me make this search as efficient as possible? I am trying to make a Base ID Search and have all of the panels run off of it. One of the panels happens to be a report because I needed to accelerate it as it's a 24 hour report. Some fields are also dynamic. Have I reached a limitations or is it possible to have a Base Search and still be able to make fields and panels dynamic?
<form>
<label>Allowed Internet Traffic (Inside to Outside) 4/15</label>
<description>Source IPs are only Internal IPs.
Internal IPs excluded from the Destination.
Excludes 10.#.#.# from SrcIP</description>
<fieldset submitButton="false">
<input type="time" searchWhenChanged="true">
<label>Time:</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="SrcIP" searchWhenChanged="true">
<label>Src IP</label>
<default>*</default>
</input>
<input type="text" token="DstIP">
<label>Dst IP</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Firepower Allowed Packets</title>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | stats count</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<table>
<title>Firepower Allowed Packets Top 5 Source/Dest/Port IP</title>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by SrcIP, DstIP, Country, DstPort | sort - by count | head 5</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
<panel>
<table>
<title>Firepower Allowed Packets Top 5 Source IP</title>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by SrcIP, DstIP, Country | sort - by count | head 5</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
<row>
<panel>
<chart>
<title>Firepower Allowed Packets - 24 Hours</title>
<search ref="Firepower Allowed Internal to External Packets - 24 Hours"></search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">auto</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">minmax</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">none</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<chart>
<title>Allowed Packets by Country DestIP Top 5</title>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by Country | sort - by count | head 5</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>DstIP Country</title>
<table>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by DstIP, Country | sort + by Country -count | head 5000</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
<panel>
<title>Who is sending packets and to which Country</title>
<table>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by SrcIP, DstPort, Country | rename SrcIP to Source_IP | sort + by Country -count | head 5000</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
</form>
Hi @fmpa_isaac,
you should see how to use Post process Search, for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.3/Viz/Savedsearches#Post-process_searches_2.
It's also very usefule the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).
Anyway, try something like this:
<form>
<label>Allowed Internet Traffic (Inside to Outside) 4/15</label>
<description>Source IPs are only Internal IPs.
Internal IPs excluded from the Destination.
Excludes 10.#.#.# from SrcIP</description>
<fieldset submitButton="false">
<input type="time" searchWhenChanged="true">
<label>Time:</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="SrcIP" searchWhenChanged="true">
<label>Src IP</label>
<default>*</default>
</input>
<input type="text" token="DstIP">
<label>Dst IP</label>
<default>*</default>
</input>
</fieldset>
<search id="base">
<query>
index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$
</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<row>
<panel>
<single>
<title>Firepower Allowed Packets</title>
<search base="base">
<query>
| stats count
</query>
</search>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<table>
<title>Firepower Allowed Packets Top 5 Source/Dest/Port IP</title>
<search base="base">
<query>
| iplocation DstIP
| stats count by SrcIP DstIP Country DstPort
| sort -count
| head 5
</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
<panel>
<table>
<title>Firepower Allowed Packets Top 5 Source IP</title>
<search base="base">
<query>
| iplocation DstIP
| stats count by SrcIP DstIP Country
| sort -count
| head 5
</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
<row>
<panel>
<chart>
<title>Firepower Allowed Packets - 24 Hours</title>
<search ref="Firepower Allowed Internal to External Packets - 24 Hours"></search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">auto</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">minmax</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">none</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<chart>
<title>Allowed Packets by Country DestIP Top 5</title>
<search base="base">
<query>
| iplocation DstIP
| stats count by Country
| sort -count
| head 5
</query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>DstIP Country</title>
<table>
<search base="base">
<query>
| iplocation DstIP
| stats count by DstIP Country
| sort Country -count
| head 5000
</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
<panel>
<title>Who is sending packets and to which Country</title>
<table>
<search base="base">
<query>
| iplocation DstIP
| stats count by SrcIP DstPort Country
| rename SrcIP to Source_IP
| sort Country -count
| head 5000
</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
</form>
Ciao.
Giuseppe