Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About anissabnk
anissabnk
Path Finder
Member since:
02-24-2021
Tuesday
Community Statistics
| Posts | 86 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 02-24-2021 |
Activity Feed
- Posted Re: extract time with sc4s on Splunk Enterprise. Monday
- Posted Re: extract time with sc4s on Splunk Enterprise. a week ago
- Posted Re: extract time with sc4s on Splunk Enterprise. a week ago
- Posted extract time with sc4s on Splunk Enterprise. a week ago
- Tagged extract time with sc4s on Splunk Enterprise. a week ago
- Tagged extract time with sc4s on Splunk Enterprise. a week ago
- Got Karma for increase dropdown limit values : 1000 values / 25 000 values. 04-25-2025 03:18 AM
- Posted Re: Change color table on treshold field on Splunk Enterprise Security. 04-02-2025 02:08 AM
- Posted Re: Change color table on treshold field on Splunk Enterprise Security. 04-01-2025 07:19 AM
- Posted Re: Change color table on treshold field on Splunk Enterprise Security. 04-01-2025 07:01 AM
- Posted Re: Change color table on treshold field on Splunk Enterprise Security. 04-01-2025 06:28 AM
- Posted Change color table on treshold field on Splunk Enterprise Security. 03-28-2025 09:02 AM
- Tagged Change color table on treshold field on Splunk Enterprise Security. 03-28-2025 09:02 AM
- Tagged Change color table on treshold field on Splunk Enterprise Security. 03-28-2025 09:02 AM
- Tagged Change color table on treshold field on Splunk Enterprise Security. 03-28-2025 09:02 AM
- Posted Re: help spl query on Splunk Enterprise Security. 02-26-2025 10:13 AM
- Posted Re: help spl query on Splunk Enterprise Security. 02-17-2025 12:42 AM
- Posted Re: help spl query on Splunk Enterprise Security. 02-06-2025 12:45 PM
- Posted Re: help spl query on Splunk Enterprise Security. 02-06-2025 10:16 AM
- Posted Re: help spl query on Splunk Enterprise Security. 02-05-2025 05:01 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
Monday
Hello, For the sourcetype, that's what I obtain : [splunk@splunk ~]$ /opt/splunk/bin/splunk btool props list st_postfix --debug /opt/splunk/etc/apps/TA-postfix/local/props.conf [st_postfix] /opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE = /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8 /opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml /opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000 /opt/splunk/etc/system/default/props.conf DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false /opt/splunk/etc/apps/TA-postfix/local/props.conf EVAL-delay = delay*1000 /opt/splunk/etc/apps/TA-postfix/local/props.conf EVAL-dest = coalesce(dest, nullif(dest_host, "unknown"), dest_ip) /opt/splunk/etc/apps/TA-postfix/local/props.conf EVAL-src=coalesce(src, nullif(src_host, "unknown"), src_ip) /opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-bounce = postfix/bounce\[\d+\]: [a-fA-F0-9]{6,20}: (?<bounce_reason>[^:]+): (?<bounce_queue_id>[a-fA-F0-9]{6,20})$ /opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-delays = ^(?<time_before_queue>[^/]+)/(?<time_in_queue>[^/]+)/(?<time_connecting>[^/]+)/(?<time_transmitting>[^$]+)$ in delays /opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-dest = relay=(?<dest_host>[^\[ ,]+)\[(?<dest_ip>[^: \]]+)\](?::(?<dest_port>\d+))? /opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-queue_id = postfix/[\w/]+\[\d+\]:\s+(?<queue_id>[A-Fa-f0-9]{6,20}): /opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-reason = status=[^\s]+\s+\((?<reason>.*)\)$ /opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-reject_reason = : (?<reject_reason>[^;:]+); /opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-remote_queue = queued as (?<xref>[A-Fa-f0-9]+) in reason /opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-src-connect = (?:dis)?connect(?:ion after (?:HELO|CONNECT))? from (?:(?<src_host>[^\[]+)\[(?<src_ip>[\d.]+)|(?<src>.*)) /opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-status_code = status=\w+ \((?:host \S+ said:\s*)?(?<status_code_short>\d+) /opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-status_reject = postfix/smtpd\[\d+\]: (?:NOQUEUE|[A-Fa-f0-9]{6,20}): (?<status>reject): /opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-filter_action = reject_reason as filter_action /opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-internal_message_id = queue_id AS internal_message_id /opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-orig_recipient = orig_to as orig_recipient /opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-process_id = pid AS process_id /opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-protocol = proto as protocol /opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-recipient = to as recipient /opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-recipient_count = nrcpt as recipient_count /opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-src_user = from as src_user /opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-status_code = dsn as status_code /opt/splunk/etc/system/default/props.conf HEADER_MODE = /opt/splunk/etc/system/default/props.conf LB_CHUNK_BREAKER_TRUNCATE = 2000000 /opt/splunk/etc/system/default/props.conf LEARN_MODEL = true /opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true /opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100 /opt/splunk/etc/apps/TA-postfix/local/props.conf LOOKUP-actions = postfix_actions status OUTPUT action /opt/splunk/etc/apps/TA-postfix/local/props.conf LOOKUP-consts = postfix_consts sourcetype OUTPUT protocol, vendor, product /opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800 /opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256 /opt/splunk/etc/system/default/props.conf MAX_EXPECTED_EVENT_LINES = 7 /opt/splunk/etc/apps/TA-postfix/local/props.conf MAX_TIMESTAMP_LOOKAHEAD = 25 /opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE = /opt/splunk/etc/apps/TA-postfix/local/props.conf REPORT-angle_brackets = postfix_angle_brackets /opt/splunk/etc/apps/TA-postfix/local/props.conf REPORT-subject = postfix_subject /opt/splunk/etc/apps/TA-postfix/local/props.conf SEDCMD-remove_tag = s/^(EXTERNE|INTERNE|RIE|CLE)\s+// /opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing /opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full /opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner /opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer /opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none /opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard /opt/splunk/etc/apps/TA-postfix/local/props.conf SHOULD_LINEMERGE = false /opt/splunk/etc/apps/TA-postfix/local/props.conf TIME_FORMAT = %b %d %H:%M:%S /opt/splunk/etc/apps/TA-postfix/local/props.conf TIME_PREFIX = ^(?:EXTERNE|INTERNE|RIE|CLE)\s+ /opt/splunk/etc/system/default/props.conf TRANSFORMS = /opt/splunk/etc/system/default/props.conf TRUNCATE = 10000 /opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false /opt/splunk/etc/system/default/props.conf maxDist = 100 /opt/splunk/etc/system/default/props.conf priority = /opt/splunk/etc/apps/TA-postfix/local/props.conf pulldown_type = 0 /opt/splunk/etc/system/default/props.conf sourcetype = /opt/splunk/etc/system/default/props.conf termFrequencyWeightedDist = false /opt/splunk/etc/system/default/props.conf unarchive_cmd_start_mode = shell
... View more
a week ago
Hello @livehybrid , I tried what you propose but unfortunately, it doesn't work : That's what I did, on my .conf files : props.conf : # KSCONF-NO-SORT [st_postfix] # Note: Extending Splunk default settings (See $SPLUNK_HOME/etc/system/default/props.conf pulldown_type = 0 # Ignore le tag (EXTERNE/INTERNE/RIE/CLE) et pointe sur le timestamp TIME_PREFIX = ^(?:EXTERNE|INTERNE|RIE|CLE)\s+ # Format du timestamp : "Apr 28 10:45:00" TIME_FORMAT = %b %d %H:%M:%S # Augmente la fenêtre de recherche pour inclure le timestamp + nom d'hôte MAX_TIMESTAMP_LOOKAHEAD = 25 # Désactive la fusion de lignes SHOULD_LINEMERGE = false # Extract the subject if enabled in Postfix's configuration REPORT-subject = postfix_subject # Extract to/from/message-id/helo (without the '<>'s) REPORT-angle_brackets = postfix_angle_brackets EXTRACT-queue_id = postfix/[\w/]+\[\d+\]:\s+(?<queue_id>[A-Fa-f0-9]{6,20}): EXTRACT-bounce = postfix/bounce\[\d+\]: [a-fA-F0-9]{6,20}: (?<bounce_reason>[^:]+): (?<bounce_queue_id>[a-fA-F0-9]{6,20})$ EXTRACT-status_reject = postfix/smtpd\[\d+\]: (?:NOQUEUE|[A-Fa-f0-9]{6,20}): (?<status>reject): EXTRACT-reason = status=[^\s]+\s+\((?<reason>.*)\)$ EXTRACT-reject_reason = : (?<reject_reason>[^;:]+); EXTRACT-dest = relay=(?<dest_host>[^\[ ,]+)\[(?<dest_ip>[^: \]]+)\](?::(?<dest_port>\d+))? EXTRACT-remote_queue = queued as (?<xref>[A-Fa-f0-9]+) in reason EXTRACT-status_code = status=\w+ \((?:host \S+ said:\s*)?(?<status_code_short>\d+) EXTRACT-src-connect = (?:dis)?connect(?:ion after (?:HELO|CONNECT))? from (?:(?<src_host>[^\[]+)\[(?<src_ip>[\d.]+)|(?<src>.*)) # Extration of the different delays (cf. http://logreporters.sourceforge.net/faq.html#percentiles) EXTRACT-delays = ^(?<time_before_queue>[^/]+)/(?<time_in_queue>[^/]+)/(?<time_connecting>[^/]+)/(?<time_transmitting>[^$]+)$ in delays # Rename fields for CIM compliance with the Email data model FIELDALIAS-status_code = dsn as status_code #FIELDALIAS-status_code = status_code_short as status_code FIELDALIAS-protocol = proto as protocol FIELDALIAS-filter_action = reject_reason as filter_action FIELDALIAS-internal_message_id = queue_id AS internal_message_id FIELDALIAS-process_id = pid AS process_id FIELDALIAS-src_user = from as src_user FIELDALIAS-recipient = to as recipient FIELDALIAS-orig_recipient = orig_to as orig_recipient FIELDALIAS-recipient_count = nrcpt as recipient_count # Don't extract 'src_host' if "unknown" (typical with reverse DNS disabled) EVAL-src=coalesce(src, nullif(src_host, "unknown"), src_ip) # FIELDALIAS-src=src_host AS src, src_ip AS src EVAL-dest = coalesce(dest, nullif(dest_host, "unknown"), dest_ip) LOOKUP-consts = postfix_consts sourcetype OUTPUT protocol, vendor, product LOOKUP-actions = postfix_actions status OUTPUT action # Email CIM requires the delay field to be in milliseconds EVAL-delay = delay*1000 # Suppression des tags injectés par rsyslog (EXTERNE, INTERNE, RIE, CLE) SEDCMD-remove_tag = s/^(EXTERNE|INTERNE|RIE|CLE)\s+// #Extraction du _time TRANSFORMS-getCorrectSC4STime = getCorrectSC4STime transforms.conf : # KSCONF-NO-SORT [postfix_angle_brackets] # Strip out the '<' or '>' from the value of the postfix log messages. # Examples: # to=<jdoe@aol.com> # from=<bob@example.com> # message-id=<20360611180017.4944318FE39@webapp.example.com> # helo=<localhost.localdomain> REGEX = [ ](to|from|message-id|helo)=<([^<> ]+)> FORMAT = $1::$2 [postfix_subject] # Logging the subject header requires changes to postfix config (disabled by default) # main.cf: header_checks = regexp:/etc/postfix/header_checks # header_checks: /^subject:/ WARN # Example event: # Nov 4 10:57:01 localhost postfix/cleanup[22492]: 2290326720: warning: header subject: test email from localhost[127.0.0.1]; from= to= proto=SMTP helo= REGEX = header [Ss]ubject: (?<subject>.+?) from [^;]+; # Lookups [postfix_consts] # Constant fields applied uniformly to ALL events # Note: More efficient than using an 'EVAL-*' for these fields. filename = postfix_consts.csv [postfix_actions] # Convert Postfix's 'status' messages into CIM 'actions' (as best as possible) filename = postfix_actions.csv #Extraction du _time [getCorrectSC4STime] INGEST_EVAL = _time=strptime(_raw,"%B %d %H:%M:%S")
... View more
a week ago
Hello, I hope you are well. I’m having some issues with log parsing on the rsyslog side. Let me explain: I’m working with three machines: - Linux sources (where I store the files to be read) - SC4S - Splunk machine - TA-postfix SC4S : I'm working with this configuration file, which allows me to define the index and the source type logos-postfix-parser.conf : /opt/sc4s/local/config/app_parsers/syslog # the block parser is where the "parsing" of the event happens and enrichment of meta data # sample: <111> Mar 24 10:45:00 osnixexample: this is a test block parser logos-postfix-rie-parser() { channel { rewrite { r_set_splunk_dest_default( index("idx_messagerie_rie") sourcetype("st_postfix") vendor("postfix") product("logos") ); }; }; }; block parser logos-postfix-interne-parser() { channel { rewrite { r_set_splunk_dest_default( index("idx_messagerie_relaisinterne") sourcetype("st_postfix") vendor("postfix") product("logos") ); }; }; }; block parser logos-postfix-externe-parser() { channel { rewrite { r_set_splunk_dest_default( index("idx_messagerie_relaisexterne") # Index cible sourcetype("st_postfix") # Sourcetype personnalisé vendor("postfix") product("logos") ); }; }; }; block parser logos-postfix-externe-cle-parser() { channel { rewrite { r_set_splunk_dest_default( index("idx_messagerie_relaisexterne_cle") # Index cible sourcetype("st_postfix") # Sourcetype personnalisé vendor("postfix") product("logos") ); }; }; }; application logos-postfix-rie[sc4s-syslog] { filter { #program('f_rie' type(string) flags(prefix)); program('RIE' type(string) flags(prefix)); }; parser { logos-postfix-rie-parser(); }; }; application logos-postfix-interne[sc4s-syslog] { filter { program('INTERNE' type(string) flags(prefix)); #program('f_interne' type(string) flags(prefix)); }; parser { logos-postfix-interne-parser(); }; }; application logos-postfix-externe[sc4s-syslog] { filter { program('EXTERNE' type(string) flags(prefix)); # <-- Filtre sur le tag #program('f_externe' type(string) flags(prefix)); }; parser { logos-postfix-externe-parser(); # <-- Utilise le parser dédié }; }; application logos-postfix-externe-cle[sc4s-syslog] { filter { program('CLE' type(string) flags(prefix)); # <-- Filtre sur le tag #program('f_externe' type(string) flags(prefix)); }; parser { logos-postfix-externe-cle-parser(); # <-- Utilise le parser dédié }; }; LINUX sources : rsyslog.conf : /etc/rsyslog.conf I managed to retrieve my data in Splunk, except that the tag appears at the start of the log like this; I found a way to remove it via the props.conf file on my TA: # (EXTERNE, INTERNE, RIE, CLE)SEDCMD-remove_tag = s/^(EXTERNE|INTERNE|RIE|CLE)\s+// So, great, the tag has been removed, but the parsing isn’t working for the timestamp. The _time isn’t being parsed correctly; no matter how I modify props.conf, it doesn’t work. In terms of priority, _time is parsed before SDCMD. So I tried treating the tag as if it were still there in order to parse the _time. # Note: Extending Splunk default settings (See $SPLUNK_HOME/etc/system/default/props.conf pulldown_type = 0 # Ignore le tag (EXTERNE/INTERNE/RIE/CLE) et pointe sur le timestamp TIME_PREFIX = ^(?:EXTERNE|INTERNE|RIE|CLE)\s+ # Format du timestamp : "Apr 28 10:45:00" TIME_FORMAT = %b %d %H:%M:%S # Augmente la fenêtre de recherche pour inclure le timestamp + nom d'hôte MAX_TIMESTAMP_LOOKAHEAD = 25 # Désactive la fusion de lignes SHOULD_LINEMERGE = false # Extract the subject if enabled in Postfix's configuration REPORT-subject = postfix_subject # Extract to/from/message-id/helo (without the '<>'s) REPORT-angle_brackets = postfix_angle_brackets I get the feeling the problem lies with sc4s, and that I might need to add something to rsyslog.conf, but I’m not sure how to go about it. Can you help me?
... View more
Labels
- Labels:
-
configuration
-
using Splunk Enterprise
04-02-2025
02:08 AM
@marnall, please
... View more
04-01-2025
07:19 AM
@marnall I would to had to do the th same for "MaxEcutionTime" field, can you help me please
... View more
04-01-2025
07:01 AM
I would to had to do the th same for "MaxEcutionTime" field, can you help me please
... View more
04-01-2025
06:28 AM
thank you so much, it works
... View more
03-28-2025
09:02 AM
Hello, I'm having a problem with the colouring of a column in my table. I need to colour the AverageExecutionTime column according to the value of Treshold. If AverageExecutionTime > Treshold then the AverageExecutionTime column is coloured red. If AverageExecutionTime < Treshold then the AverageExecutionTime column is coloured green. I've tried lots of things but it doesn't work, the conidition isn't respected, and AverageExutionTime is always coloured green. The first line should be in red <row> <panel> <title>XRT Execution Dashboard</title> <table> <search> <query>index="aws_app_corp-it_xrt" sourcetype="xrt_log" "OK/INFO - 1012550 - Total Calc Elapsed Time" | rex field=source "(?<Datetime>\d{8}_\d{6})_usr@(?<Username>[\w\.]+)_ses@\d+_\d+_MAXL#(?<TemplateName>\d+)_apd@(?<ScriptName>[\w]+)_obj#(?<ObjectID>[^.]+)\.msh\.log" | rex "Total Calc Elapsed Time\s*:\s*\[(?<calc_time>\d+\.\d+)\]\s*seconds" | stats avg(calc_time) as AverageExecutionTime max(calc_time) as MaxExecutionTime by ScriptName, ObjectID, TemplateName | eval AverageExecutionTime = round(AverageExecutionTime, 3) |lookup script_tresholds ObjectID ScriptName MaxLTemplate as "TemplateName" OUTPUT Threshold AS "Treshold" | table ScriptName, AverageExecutionTime, MaxExecutionTime, Treshold, ObjectID, TemplateName |search $ScriptName$ $ObjectID$ $TemplateName$ |sort - AverageExecutionTime</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <!--format type="color" field="AverageExecutionTime"> <colorPalette type="expression"> <mapping field="AverageExecutionTime"> if(AverageExecutionTime > Treshold, "#D94E17", "#55C169") </mapping> </colorPalette> </format--> <!-- Mise en couleur conditionnelle --> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="Color"> <colorPalette type="map">{"High":"#D94E17", "Low":"#55C169"}</colorPalette> </format> <drilldown> <condition field="ScriptName"> <link target="_blank">/app/search/dev_vwt_dashboards_uc31_details?ScriptName=$row.ScriptName$&Script_Execution_Details=true&earliest=$earliest$&latest=$latest$</link> </condition> </drilldown> </table> </panel> </row> <row> <panel> <title>TEST XRT Execution Dashboard</title> <table> <search> <query>index="aws_app_corp-it_xrt" sourcetype="xrt_log" "OK/INFO - 1012550 - Total Calc Elapsed Time" | rex field=source "(?<Datetime>\d{8}_\d{6})_usr@(?<Username>[\w\.]+)_ses@\d+_\d+_MAXL#(?<TemplateName>\d+)_apd@(?<ScriptName>[\w]+)_obj#(?<ObjectID>[^.]+)\.msh\.log" | rex "Total Calc Elapsed Time\s*:\s*\[(?<calc_time>\d+\.\d+)\]\s*seconds" | stats avg(calc_time) as AverageExecutionTime max(calc_time) as MaxExecutionTime by ScriptName, ObjectID, TemplateName | eval AverageExecutionTime = round(AverageExecutionTime, 0) | lookup script_tresholds ObjectID ScriptName MaxLTemplate as "TemplateName" OUTPUT Threshold AS "Treshold" | eval colorCode = if(AverageExecutionTime > Treshold, "#D94E17", "#55C169") | table ScriptName, AverageExecutionTime, MaxExecutionTime, Treshold, ObjectID, TemplateName, colorCode | search $ScriptName$ $ObjectID$ | sort - AverageExecutionTime</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> <format type="color" field="AverageExecutionTime"> <colorPalette type="expression">if(AverageExecutionTime > Treshold,"#D94E17", "#55C169")</colorPalette> </format> </table> </panel> </row>
... View more
Labels
02-26-2025
10:13 AM
Hello @tscroggins I have a problem with your spl request because some results are truncated, with your help, i tested this : index=aws_app_corp-it_datastage earliest=-5d@d latest=@d | spath input=_raw | search PROJECTNAME="*" INVOCATIONID="*" RUNMAJORSTATUS="*" RUNMINORSTATUS="*" | eval status=case( RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW", "Completed with Warnings", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK", "Successful Launch", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF", "Failure", RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN", "In Progress", 1=1, "Unknown") | eval tmp=JOBNAME."|".PROJECTNAME."|".INVOCATIONID."|".strftime(_time, "%Y-%m-%d %H:%M:%S") | eval date=strftime(_time, "%Y-%m-%d") | eval value=if(status=="Unknown", "Unknown", "start time: ".coalesce(strftime(strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q"), "%H:%M"), "").urldecode("%0a"). if(status=="In Progress", "Running", "end time: ".coalesce(strftime(strptime(RUNENDTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q"), "%H:%M"), ""))).urldecode("%0a").status | xyseries tmp date value | eval tmp=split(tmp, "|"), Job_Name=mvindex(tmp, 0), Project_Name=mvindex(tmp, 1), Geographical_Zone=mvindex(tmp, 2) | fields - tmp | table Job_Name Project_Name Geographical_Zone * |search Geographical_Zone="EMEA" Job_Name="*" Project_Name="*" | fillnull value="Unknown" 1306 results With the first request I send you, index=aws_app_corp-it_datastage earliest=-5d@d latest=@d | spath input=_raw | eval StartTime=strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval EndTime=strptime(RUNENDTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval Date=strftime(_time, "%Y-%m-%d") | eval Geographical_Zone=INVOCATIONID | eval Duration=round(abs(EndTime - StartTime)/60, 2) | eval Status = case( RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW", "Completed with Warnings", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK", "Completed", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF", "Failure", RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN", "In Progress", 1=1, "Unknown") | eval StartTimeFormatted=strftime(StartTime, "%H:%M:%S.%1N") | eval EndTimeFormatted=strftime(EndTime, "%H:%M:%S.%1N") | eval StartTimeDisplay=if(isnotnull(StartTimeFormatted), "Start time: ".StartTimeFormatted, "Start time: N/A") | eval EndTimeDisplay=if(isnotnull(EndTimeFormatted), "End time: ".EndTimeFormatted, "End time: N/A") | table JOBNAME PROJECTNAME Geographical_Zone _time Date RUNSTARTTIMESTAMP StartTimeDisplay RUNENDTIMESTAMP EndTimeDisplay Status | rename JOBNAME as Job_Name, PROJECTNAME as Project_Name |search Job_Name="*" Geographical_Zone="EMEA" Date="*" Project_Name="*" Status="*" |sort -Date | table Job_Name Project_Name Geographical_Zone Date StartTimeDisplay EndTimeDisplay Status | dedup Job_Name Project_Name Geographical_Zone Date StartTimeDisplay EndTimeDisplay Status 2352 results so it doesn't work because some failed jobs don't appear, for example
... View more
02-17-2025
12:42 AM
@tscroggins , is there an alternative to using xyseries because the results are limited and the results displayed are therefore truncated?
... View more
02-06-2025
12:45 PM
I'm trying to represent this: ,but I can't quite do it. I can't manage to display the last 5 days before the current date in a column. I've managed to do this, but I'd have to manage to extract the current date automatically via _time, and place it in a column, and have the start time and end time values in these columns:
... View more
02-06-2025
10:16 AM
-> "Completed with Warnings" RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW" -> "Successful Launch" RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK" -> "Failure" RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF" -> "In Progress" RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN"
... View more
02-05-2025
04:52 AM
that a log : 2025-01-20 04:38:04.142, HOSTNAME="AEW1052ETLLD2", PROJECTNAME="AQUAVISTA_UAT", JOBNAME="Jx_104_SALES_ORDER_HEADER_FILE", INVOCATIONID="HES", RUNSTARTTIMESTAMP="2025-01-19 20:18:25.0", RUNENDTIMESTAMP="2025-01-19 20:18:29.0", RUNMAJORSTATUS="FIN", RUNMINORSTATUS="FWW", RUNTYPENAME="Run"
... View more
02-03-2025
06:29 AM
Hello, I need some help for a query. I have to do this : At the moment I haven't managed to get exactly what I've asked for, I can't place the dates on the last few days in the column, I've tried several things but to no avail. All I've managed to do is this: index=aws_app_corp-it_datastage | spath input=_raw | eval Country=INVOCATIONID | eval StartTime=strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval EndTime=strptime(RUNENDTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval Duration=round(abs(EndTime - StartTime)/60, 2) | eval Status = case( RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW", "Completed with Warnings", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK", "Successful Launch", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF", "Failure", RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN", "In Progress", 1=1, "Unknown" ) | eval StartTimeFormatted=strftime(StartTime, "%H:%M") | eval EndTimeFormatted=strftime(EndTime, "%H:%M") | eval StartTimeDisplay=if(isnotnull(StartTimeFormatted), "Start time: ".StartTimeFormatted, "Start time: N/A") | eval EndTimeDisplay=if(isnotnull(EndTimeFormatted), "End time: ".EndTimeFormatted, "End time: N/A") | table JOBNAME PROJECTNAME Country _time StartTimeDisplay EndTimeDisplay Status | rename JOBNAME as Job, PROJECTNAME as App | sort -_time |search Country="*" App="*" Status="*"
... View more
Labels
- Labels:
-
using Enterprise Security
12-18-2024
09:03 AM
Hello, I need your help with timepicker values. I'd like to be able to keep some and hide others. I would like to hide all times linked to real time : "today,..." In the predefined periods : Yesterday Since the start of the week Since the beginning of the working week From the beginning of the month Year to date Yesterday Last week The previous working week The previous month The previous year Last 7 days Last 30 days Other Anytime I would to have also : Period defined by a date Date and period Advanced
... View more
12-12-2024
02:46 AM
This : <condition match="$row.Services$ == "s3-bucket""> works fine
... View more
12-09-2024
11:57 PM
<condition match="$Services$ == "vpc""> </condition>
<!--eval token="VPC_details">if(match($Services$, "vpc"), "true", "false")</eval>
<set token="VPC_details"></set>
<unset token="S3_details"></unset>
<unset token="EC2_details"></unset-->
<condition>
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&VPC_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link>
</condition>
I tried this but it doesn't work
... View more
12-09-2024
10:18 AM
Hello,
Than your for your answer but it doesn't work.
panel 1 :
<row>
<panel>
<title>AWS Services Monitoring</title>
<table>
<search>
<!--done>
<set token="Services">$click.name$</set>
</done-->
<query>index="aws_vpc_corp-it_security-prd" sourcetype="aws:s3:csv" ShortConfigRuleName="*"
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
|search Services!=Other
| lookup aws_security_all_account_ids account_id AS AccountId OUTPUT name
| table name AccountId Services ShortConfigRuleName ComplianceType OrderingTimestamp ResultRecordedTime
| dedup AccountId Services ShortConfigRuleName ComplianceType | rename name as "AWS Account Name", "ComplianceType" as "Status", "OrderingTimestamp" as "Last Check", "ResultRecordedTime" as "Next Check"
|fillnull value="N/A"
|search $ResourceName$ $Services$ $Status$</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<option name="wrap">true</option>
<format type="color" field="Status">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<drilldown>
<condition match="$row.Services$ != "s3-bucket"">
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&S3_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link>
</condition>
<condition match="$row.Services$ != "vpc"">
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&VPC_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link>
</condition>
<condition match="$row.Services$ != "ec2"">
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&EC2_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link>
</condition>
</drilldown>
</table>
</panel>
</row>
panel 2:
<row>
<panel depends="$S3_details$">
<title>S3 DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
<panel depends="$VPC_details$">
<title>VPC DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
<panel depends="$EC2_details$">
<title>EC2 DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
<panel depends="$SERVICES_details$">
<title>SERVICES DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
</row>
But it does'nt work, when I select the vpc filter, I arrive at the S3_details view, instead of arriving at VPC_details when I select the s3-bucket filter, I go to VPC_details instead of S3_details when I select the ec2 filter, I end up on S3_details instead of EC2_details
... View more
12-06-2024
10:17 AM
Hello, I want to make a drilldown with those services : and I have to apply a drilldow for (s3-bucket / vpc / ec2) I've tried several things but nothing works <row> <panel> <title>AWS Services Monitoring</title> <table> <search> <!--done> <set token="Services">$click.name$</set> </done--> <query>index="aws_vpc_corp-it_security-prd" sourcetype="aws:s3:csv" ShortConfigRuleName="*" | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") |search Services!=Other | lookup aws_security_all_account_ids account_id AS AccountId OUTPUT name | table name AccountId Services ShortConfigRuleName ComplianceType OrderingTimestamp ResultRecordedTime | dedup AccountId Services ShortConfigRuleName ComplianceType | rename name as "AWS Account Name", "ComplianceType" as "Status", "OrderingTimestamp" as "Last Check", "ResultRecordedTime" as "Next Check" |fillnull value="N/A" |search $ResourceName$ $Services$ $Status$</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="count">100</option> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <option name="wrap">true</option> <format type="color" field="Status"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <drilldown> <condition match="$Services$ != "s3-bucket""> <set token="Services">s3-bucket</set> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&S3_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link> </condition> <condition match="$Services$ != "vpc""> <set token="Services">vpc</set> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&VPC_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link> </condition> <condition match="$Services$ != "ec2""> <set token="Services">ec2</set> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&EC2_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link> </condition> </drilldown> </table> </panel> </row> The drilldown is supposed to ‘point’ to a second dashboard in the following way: </panel> <panel depends="$VPC_details$"> <title>VPC DETAILS : ShortConfigRuleName=$ShortConfigRuleName$ Service=$Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> <panel depends="$EC2_details$"> <title>EC2 DETAILS : ShortConfigRuleName=$ShortConfigRuleName$ Service=$Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> <panel depends="$SERVICES_details$"> <title>SERVICES DETAILS : ShortConfigRuleName=$ShortConfigRuleName$ Service=$Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> </row> When s3-bucket is selected, we point to the ‘S3_details’ panel, and so on The link target works fine, but it's the click value at the beginning with the service selection that doesn't work
... View more
Labels
- Labels:
-
stats
10-21-2024
08:21 AM
Hello,
I have a question about customising my time picker. I'd like to display two panels, one for 24 hours and one for 1 month. And I'd like panel 1 to be displayed when the teps selected is 24h, and the second panel to be displayed when the time picker is for the current month.
I tried this, but it doesn't work :
<form version="1.1" theme="light">
<label>dev_vwt_dashboards_uc47</label>
<init>
<set token="time_range">-24h@h</set>
<set token="date_connection">*</set>
<set token="time_connection">*</set>
<set token="IPAddress">*</set>
<set token="User">*</set>
<set token="AccessValidation">*</set>
</init>
<!--fieldset autoRun="false" submitButton="true">
<input type="time" token="field1" searchWhenChanged="true">
<label>Period</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset-->
<fieldset autoRun="false" submitButton="true">
<input type="dropdown" token="time_range" searchWhenChanged="true">
<label>Select Time Range</label>
<choice value="-24h@h">Last 24 hours</choice>
<!--choice value="@mon">Since Beginning of Month</choice-->
<default>Last 24 hours</default>
<!--change>
<condition value="-24h@h">
<set token="tokShowPanel1">true</set>
<unset token="tokShowPanel2"></unset>
</condition>
<condition value="@mon">
<unset token="tokShowPanel1"></unset>
<set token="tokShowPanel2">true</set>
</condition>
</change-->
</input>
</fieldset>
<row>
<panel>
<input type="text" token="date_connection" searchWhenChanged="true">
<label>date_connection</label>
<default>*</default>
<prefix>date_connection="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
<input type="text" token="time_connection" searchWhenChanged="true">
<label>time_connection</label>
<default>*</default>
<prefix>time_connection="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
<input type="text" token="IPAddress" searchWhenChanged="true">
<label>IPAddress</label>
<default>*</default>
<prefix>IPAddress="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
<input type="text" token="User" searchWhenChanged="true">
<label>User</label>
<default>*</default>
<prefix>User="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="AccessValidation" searchWhenChanged="true">
<label>AccessValidation</label>
<default>*</default>
<prefix>AccessValidation="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
<choice value="*">All</choice>
<choice value="failure">failure</choice>
<choice value="success">success</choice>
<choice value="denied">denied</choice>
</input>
</panel>
</row>
<row>
<panel id="AD_Users_Authentication_last_24_hours" depends="$tokShowPanel1$">
<title>AD Users Authentication</title>
<table>
<search>
<query>|loadjob savedsearch="anissa.bannak.ext@abc.com:search:dev_vwt_saved_search_uc47_AD_Authentication_Result" |rename UserAccountName as "User" |search $date_connection$ $time_connection$ $IPAddress$ $User$ $AccessValidation$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">100</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="Last Connection Status">
<colorPalette type="map">{"failure":#D94E17,"success":#55C169}</colorPalette>
</format>
<format type="color" field="Access Validation">
<colorPalette type="map">{"success":#55C169,"failure":#D94E17}</colorPalette>
</format>
<format type="number" field="AuthenticationResult"></format>
<format type="color" field="AuthenticationResult">
<colorPalette type="map">{"failure":#D94E17,"success":#55C169}</colorPalette>
</format>
<format type="color" field="Access_Validation">
<colorPalette type="map">{"success":#55C169,"failure":#D41F1F}</colorPalette>
</format>
<format type="color" field="AccessValidation">
<colorPalette type="map">{"success":#118832,"failure":#D41F1F}</colorPalette>
</format>
<format type="color" field="last_connection_status">
<colorPalette type="map">{"success":#55C169,"failure":#D94E17}</colorPalette>
</format>
</table>
</panel>
</row>
<row>
<panel id="AD_Users_Authentication_1_month" depends="$tokShowPanel2$">
<title>AD Users Authentication</title>
<table>
<search>
<query>|loadjob savedsearch="anissa.bannak.ext@abc.com:search:dev_vwt_saved_search_uc47_AD_Authentication_Result" |rename UserAccountName as "User" |search $date_connection$ $time_connection$ $IPAddress$ $User$ $AccessValidation$</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="Last Connection Status">
<colorPalette type="map">{"failure":#D94E17,"success":#55C169}</colorPalette>
</format>
<format type="color" field="Access Validation">
<colorPalette type="map">{"success":#55C169,"failure":#D94E17}</colorPalette>
</format>
<format type="number" field="AuthenticationResult"></format>
<format type="color" field="AuthenticationResult">
<colorPalette type="map">{"failure":#D94E17,"success":#55C169}</colorPalette>
</format>
<format type="color" field="Access_Validation">
<colorPalette type="map">{"success":#55C169,"failure":#D41F1F}</colorPalette>
</format>
<format type="color" field="AccessValidation">
<colorPalette type="map">{"success":#118832,"failure":#D41F1F}</colorPalette>
</format>
<format type="color" field="last_connection_status">
<colorPalette type="map">{"success":#55C169,"failure":#D94E17}</colorPalette>
</format>
</table>
</panel>
</row>
</form>
... View more
Labels
- Labels:
-
using Splunk Enterprise
07-09-2024
01:44 AM
No that's not it. I want my dropdown to be powered by a search but which will be defined in a js. Something like this?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Tuesday
|
