Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Help with making dashboard as efficient as possibl...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with making dashboard as efficient as possible
fmpa_isaac
Path Finder
04-21-2020
07:49 AM
Can someone please help me make this search as efficient as possible? I am trying to make a Base ID Search and have all of the panels run off of it. One of the panels happens to be a report because I needed to accelerate it as it's a 24 hour report. Some fields are also dynamic. Have I reached a limitations or is it possible to have a Base Search and still be able to make fields and panels dynamic?
<form>
<label>Allowed Internet Traffic (Inside to Outside) 4/15</label>
<description>Source IPs are only Internal IPs.
Internal IPs excluded from the Destination.
Excludes 10.#.#.# from SrcIP</description>
<fieldset submitButton="false">
<input type="time" searchWhenChanged="true">
<label>Time:</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="SrcIP" searchWhenChanged="true">
<label>Src IP</label>
<default>*</default>
</input>
<input type="text" token="DstIP">
<label>Dst IP</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Firepower Allowed Packets</title>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | stats count</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<table>
<title>Firepower Allowed Packets Top 5 Source/Dest/Port IP</title>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by SrcIP, DstIP, Country, DstPort | sort - by count | head 5</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
<panel>
<table>
<title>Firepower Allowed Packets Top 5 Source IP</title>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by SrcIP, DstIP, Country | sort - by count | head 5</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
<row>
<panel>
<chart>
<title>Firepower Allowed Packets - 24 Hours</title>
<search ref="Firepower Allowed Internal to External Packets - 24 Hours"></search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">auto</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">minmax</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">none</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<chart>
<title>Allowed Packets by Country DestIP Top 5</title>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by Country | sort - by count | head 5</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>DstIP Country</title>
<table>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by DstIP, Country | sort + by Country -count | head 5000</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
<panel>
<title>Who is sending packets and to which Country</title>
<table>
<search>
<query>index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$ | iplocation DstIP | stats count by SrcIP, DstPort, Country | rename SrcIP to Source_IP | sort + by Country -count | head 5000</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
04-21-2020
08:36 AM
Hi @fmpa_isaac,
you should see how to use Post process Search, for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.3/Viz/Savedsearches#Post-process_searches_2.
It's also very usefule the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).
Anyway, try something like this:
<form>
<label>Allowed Internet Traffic (Inside to Outside) 4/15</label>
<description>Source IPs are only Internal IPs.
Internal IPs excluded from the Destination.
Excludes 10.#.#.# from SrcIP</description>
<fieldset submitButton="false">
<input type="time" searchWhenChanged="true">
<label>Time:</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="SrcIP" searchWhenChanged="true">
<label>Src IP</label>
<default>*</default>
</input>
<input type="text" token="DstIP">
<label>Dst IP</label>
<default>*</default>
</input>
</fieldset>
<search id="base">
<query>
index=sourcefire sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRule!=Block SrcIP="10.0.*" OR SrcIP="172.*" OR SrcIP="192.168.#.*" AND DstIP!="10.0.*" AND DstIP!="172.*" AND DstIP!="192.168.#.*" AND SrcIP!="10.0.#.#" AND DstIP!="8.8.8.8" AND DstIP!="208.67.222.222" AND DstIP!="208.67.220.220" AND DstIP!="208.67.222.220" AND DstIP!="208.67.220.222" SrcIP=$SrcIP$ DstIP=$DstIP$
</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<row>
<panel>
<single>
<title>Firepower Allowed Packets</title>
<search base="base">
<query>
| stats count
</query>
</search>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<table>
<title>Firepower Allowed Packets Top 5 Source/Dest/Port IP</title>
<search base="base">
<query>
| iplocation DstIP
| stats count by SrcIP DstIP Country DstPort
| sort -count
| head 5
</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
<panel>
<table>
<title>Firepower Allowed Packets Top 5 Source IP</title>
<search base="base">
<query>
| iplocation DstIP
| stats count by SrcIP DstIP Country
| sort -count
| head 5
</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.auto.interval">1180</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
<row>
<panel>
<chart>
<title>Firepower Allowed Packets - 24 Hours</title>
<search ref="Firepower Allowed Internal to External Packets - 24 Hours"></search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">auto</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">minmax</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">none</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<chart>
<title>Allowed Packets by Country DestIP Top 5</title>
<search base="base">
<query>
| iplocation DstIP
| stats count by Country
| sort -count
| head 5
</query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>DstIP Country</title>
<table>
<search base="base">
<query>
| iplocation DstIP
| stats count by DstIP Country
| sort Country -count
| head 5000
</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
<panel>
<title>Who is sending packets and to which Country</title>
<table>
<search base="base">
<query>
| iplocation DstIP
| stats count by SrcIP DstPort Country
| rename SrcIP to Source_IP
| sort Country -count
| head 5000
</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
</form>
Ciao.
Giuseppe
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
May 2026 Splunk Expert Sessions: Security & Observability
Level Up Your Operations: May 2026 Splunk Expert Sessions
Whether you are refining your security posture or ...
Network to App: Observability Unlocked [May & June Series]
In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...
