Splunk ITSI

Customize the Episode Review dashboard using a JSON-formatted dashboard definition

MaximilianoML
Explorer

Hello, guys!

I'm trying to use the episodes table as the base search in the Edit Dashboard view, as well in the Dashboard Classic using the source, but here we already have the results in the table. I'll attach my code snippet below: 

 

{
    "dataSources": {
        "dsQueryCounterSearch1": {
            "options": {
                "query": "| where AlertSource = AWS and AlertSeverity IN (6,5,4,3,1) | dedup Identifier | stats count as AWS",
                "queryParameters": {
                    "earliest": "$earliest_time$",
                    "latest": "$latest_time$"
                }
            },
            "type": "ds.search"
        },
        "mttrSearch": {
            "options": {
                "query": "| `itsi_event_management_get_mean_time(resolved)`",
                "queryParameters": {
                    "earliest": "$earliest_time$",
                    "latest": "$latest_time$"
                }
            },
            "type": "ds.search"
        },
        "episodesBySeveritySearch": {
            "options": {
                "query": "|`itsi_event_management_episode_by_severity`",
                "queryParameters": {
                    "earliest": "$earliest_time$",
                    "latest": "$latest_time$"
                }
            },
            "type": "ds.search"
        },
        "noiseReductionSearch": {
            "options": {
                "query": "| `itsi_event_management_noise_reduction`",
                "queryParameters": {
                    "earliest": "$earliest_time$",
                    "latest": "$latest_time$"
                }
            },
            "type": "ds.search"
        },
        "percentAckSearch": {
            "options": {
                "query": "| `itsi_event_management_get_episode_count(acknowledged)` | eval acknowledgedPercent=(Acknowledged/total)*100 | table acknowledgedPercent",
                "queryParameters": {
                    "earliest": "$earliest_time$",
                    "latest": "$latest_time$"
                }
            },
            "type": "ds.search"
        },
        "mttaSearch": {
            "options": {
                "query": "| `itsi_event_management_get_mean_time(acknowledged)`",
                "queryParameters": {
                    "earliest": "$earliest_time$",
                    "latest": "$latest_time$"
                }
            },
            "type": "ds.search"
        }
    },
    "visualizations": {
        "vizQueryCounterSearch1": {
            "title": "Query Counter 1",
            "type": "splunk.singlevalue",
            "options": {
                "backgroundColor": "#ffffff",
                "sparklineDisplay": "off",
                "trendDisplay": "off",
                "trendValue": 0
            },
            "dataSources": {
                "primary": "dsQueryCounterSearch1"
            }
        },
        "episodesBySeverity": {
            "title": "Episodes by Severity",
            "type": "splunk.bar",
            "options": {
                "backgroundColor": "#ffffff",
                "barSpacing": 5,
                "dataValuesDisplay": "all",
                "legendDisplay": "off",
                "showYMajorGridLines": false,
                "yAxisLabelVisibility": "hide",
                "xAxisMajorTickVisibility": "hide",
                "yAxisMajorTickVisibility": "hide",
                "xAxisTitleVisibility": "hide",
                "yAxisTitleVisibility": "hide"
            },
            "dataSources": {
                "primary": "episodesBySeveritySearch"
            }
        },
        "noiseReduction": {
            "title": "Total Noise Reduction",
            "type": "splunk.singlevalue",
            "options": {
                "backgroundColor": "> majorValue | rangeValue(backgroundColorThresholds)",
                "numberPrecision": 2,
                "sparklineDisplay": "off",
                "trendDisplay": "off",
                "trendValue": 0,
                "unit": "%"
            },
            "context": {
                "backgroundColorThresholds": [
                    {
                        "from": 95,
                        "value": "#65a637"
                    },
                    {
                        "from": 90,
                        "to": 95,
                        "value": "#6db7c6"
                    },
                    {
                        "from": 87,
                        "to": 90,
                        "value": "#f7bc38"
                    },
                    {
                        "from": 85,
                        "to": 87,
                        "value": "#f58f39"
                    },
                    {
                        "to": 85,
                        "value": "#d93f3c"
                    }
                ]
            },
            "dataSources": {
                "primary": "noiseReductionSearch"
            }
        },
        "percentAck": {
            "title": "Episodes Acknowledged",
            "type": "splunk.singlevalue",
            "options": {
                "backgroundColor": "#ffffff",
                "numberPrecision": 2,
                "sparklineDisplay": "off",
                "trendDisplay": "off",
                "trendValue": 0,
                "unit": "%"
            },
            "dataSources": {
                "primary": "percentAckSearch"
            }
        },
        "mtta": {
            "title": "Mean Time to Acknowledged",
            "type": "splunk.singlevalue",
            "options": {
                "backgroundColor": "#ffffff",
                "sparklineDisplay": "off",
                "trendDisplay": "off",
                "trendValue": 0,
                "unit": "minutes"
            },
            "dataSources": {
                "primary": "mttaSearch"
            }
        }
    },
    "layout": {
        "type": "grid",
        "options": {
            "display": "auto-scale",
            "height": 240,
            "width": 1440
        },
        "structure": [
            {
                "item": "vizQueryCounterSearch1",
                "type": "block",
                "position": {
                    "x": 0,
                    "y": 80,
                    "w": 288,
                    "h": 220
                }
            },
            {
                "item": "episodesBySeverity",
                "type": "block",
                "position": {
                    "x": 288,
                    "y": 80,
                    "w": 288,
                    "h": 220
                }
            },
            {
                "item": "noiseReduction",
                "type": "block",
                "position": {
                    "x": 576,
                    "y": 80,
                    "w": 288,
                    "h": 220
                }
            },
            {
                "item": "percentAck",
                "type": "block",
                "position": {
                    "x": 864,
                    "y": 80,
                    "w": 288,
                    "h": 220
                }
            },
            {
                "item": "mtta",
                "type": "block",
                "position": {
                    "x": 1152,
                    "y": 80,
                    "w": 288,
                    "h": 220
                }
            }
        ]
    }
}

 

 

 

I really appreciate your help, have a great day 🙂

Labels (3)
0 Karma
1 Solution

MaximilianoML
Explorer

So, I didn't find how to use a base search, and then I just decided to proceed with a simple query as well in the Search Page.

P.S. The stuff between ` are Macros, you can check here: https://itsi-*.splunkcloud.com/en-GB/manager/itsi/data/macros , it's interesting things but is not helpful for me right now. 

Thank you, friend!

Maximiliano Lopes

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

JSON dashboard definition is for Studio not Classic. What is your question here (or does that already answer it!)?

MaximilianoML
Explorer

Hello, @ITWhisperer !

Yes, actually I'm editing the dashboard on https://itsi-*.splunkcloud.com/en-US/app/itsi/itsi_event_management? , and this is the view: 

MaximilianoML_0-1727358124197.png

I'm looking for a way to make a simple query in the results, like this code snippet:

"dsQueryCounterSearch1": {
"options": {
"query": "| where AlertSource = AWS and AlertSeverity IN (6,5,4,3,1) | dedup Identifier | stats count as AWS",
"queryParameters": {
"earliest": "$earliest_time$",
"latest": "$latest_time$"
}
},
"type": "ds.search"
},

but doesn't return anything, any ideia how to refer the base search like the default querys? 

P.S: This data: 

MaximilianoML_1-1727358391998.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Which search are you trying to extend - if it is "mttrSearch", you would do something like this

    "dataSources": {
        "dsQueryCounterSearch1": {
            "options": {
                "extend": "mttrSearch",
                "query": "| where AlertSource = AWS and AlertSeverity IN (6,5,4,3,1) | dedup Identifier | stats count as AWS",
                "queryParameters": {
                    "earliest": "$earliest_time$",
                    "latest": "$latest_time$"
                }
            },
            "type": "ds.search"
        },
0 Karma

MaximilianoML
Explorer

This is the problem, I don't how this works... but I want to use the data that appears on the table in the bottom: 

MaximilianoML_0-1727362764656.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What is the data source for that table? The JSON you have shared does not appear to cover that

0 Karma

MaximilianoML
Explorer

So, I didn't find how to use a base search, and then I just decided to proceed with a simple query as well in the Search Page.

P.S. The stuff between ` are Macros, you can check here: https://itsi-*.splunkcloud.com/en-GB/manager/itsi/data/macros , it's interesting things but is not helpful for me right now. 

Thank you, friend!

Maximiliano Lopes

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...