Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About anissabnk
anissabnk
Path Finder
Member since:
02-24-2021
04-02-2025
Community Statistics
| Posts | 82 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 02-24-2021 |
Activity Feed
- Got Karma for increase dropdown limit values : 1000 values / 25 000 values. 4 weeks ago
- Posted Re: Change color table on treshold field on Splunk Enterprise Security. 04-02-2025 02:08 AM
- Posted Re: Change color table on treshold field on Splunk Enterprise Security. 04-01-2025 07:19 AM
- Posted Re: Change color table on treshold field on Splunk Enterprise Security. 04-01-2025 07:01 AM
- Posted Re: Change color table on treshold field on Splunk Enterprise Security. 04-01-2025 06:28 AM
- Posted Change color table on treshold field on Splunk Enterprise Security. 03-28-2025 09:02 AM
- Tagged Change color table on treshold field on Splunk Enterprise Security. 03-28-2025 09:02 AM
- Tagged Change color table on treshold field on Splunk Enterprise Security. 03-28-2025 09:02 AM
- Tagged Change color table on treshold field on Splunk Enterprise Security. 03-28-2025 09:02 AM
- Posted Re: help spl query on Splunk Enterprise Security. 02-26-2025 10:13 AM
- Posted Re: help spl query on Splunk Enterprise Security. 02-17-2025 12:42 AM
- Posted Re: help spl query on Splunk Enterprise Security. 02-06-2025 12:45 PM
- Posted Re: help spl query on Splunk Enterprise Security. 02-06-2025 10:16 AM
- Posted Re: help spl query on Splunk Enterprise Security. 02-05-2025 05:01 AM
- Posted Re: help spl query on Splunk Enterprise Security. 02-05-2025 04:52 AM
- Posted Re: help spl query on Splunk Enterprise Security. 02-05-2025 02:18 AM
- Posted help spl query on Splunk Enterprise Security. 02-03-2025 06:29 AM
- Posted custom time picker on Splunk Dev. 12-18-2024 09:03 AM
- Posted Re: condition drilldown - with link target on Splunk Search. 12-12-2024 02:46 AM
- Posted Re: condition drilldown - with link target on Splunk Search. 12-09-2024 11:57 PM
04-02-2025
02:08 AM
@marnall, please
... View more
04-01-2025
07:19 AM
@marnall I would to had to do the th same for "MaxEcutionTime" field, can you help me please
... View more
04-01-2025
07:01 AM
I would to had to do the th same for "MaxEcutionTime" field, can you help me please
... View more
04-01-2025
06:28 AM
thank you so much, it works
... View more
03-28-2025
09:02 AM
Hello, I'm having a problem with the colouring of a column in my table. I need to colour the AverageExecutionTime column according to the value of Treshold. If AverageExecutionTime > Treshold then the AverageExecutionTime column is coloured red. If AverageExecutionTime < Treshold then the AverageExecutionTime column is coloured green. I've tried lots of things but it doesn't work, the conidition isn't respected, and AverageExutionTime is always coloured green. The first line should be in red <row> <panel> <title>XRT Execution Dashboard</title> <table> <search> <query>index="aws_app_corp-it_xrt" sourcetype="xrt_log" "OK/INFO - 1012550 - Total Calc Elapsed Time" | rex field=source "(?<Datetime>\d{8}_\d{6})_usr@(?<Username>[\w\.]+)_ses@\d+_\d+_MAXL#(?<TemplateName>\d+)_apd@(?<ScriptName>[\w]+)_obj#(?<ObjectID>[^.]+)\.msh\.log" | rex "Total Calc Elapsed Time\s*:\s*\[(?<calc_time>\d+\.\d+)\]\s*seconds" | stats avg(calc_time) as AverageExecutionTime max(calc_time) as MaxExecutionTime by ScriptName, ObjectID, TemplateName | eval AverageExecutionTime = round(AverageExecutionTime, 3) |lookup script_tresholds ObjectID ScriptName MaxLTemplate as "TemplateName" OUTPUT Threshold AS "Treshold" | table ScriptName, AverageExecutionTime, MaxExecutionTime, Treshold, ObjectID, TemplateName |search $ScriptName$ $ObjectID$ $TemplateName$ |sort - AverageExecutionTime</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <!--format type="color" field="AverageExecutionTime"> <colorPalette type="expression"> <mapping field="AverageExecutionTime"> if(AverageExecutionTime > Treshold, "#D94E17", "#55C169") </mapping> </colorPalette> </format--> <!-- Mise en couleur conditionnelle --> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="Color"> <colorPalette type="map">{"High":"#D94E17", "Low":"#55C169"}</colorPalette> </format> <drilldown> <condition field="ScriptName"> <link target="_blank">/app/search/dev_vwt_dashboards_uc31_details?ScriptName=$row.ScriptName$&Script_Execution_Details=true&earliest=$earliest$&latest=$latest$</link> </condition> </drilldown> </table> </panel> </row> <row> <panel> <title>TEST XRT Execution Dashboard</title> <table> <search> <query>index="aws_app_corp-it_xrt" sourcetype="xrt_log" "OK/INFO - 1012550 - Total Calc Elapsed Time" | rex field=source "(?<Datetime>\d{8}_\d{6})_usr@(?<Username>[\w\.]+)_ses@\d+_\d+_MAXL#(?<TemplateName>\d+)_apd@(?<ScriptName>[\w]+)_obj#(?<ObjectID>[^.]+)\.msh\.log" | rex "Total Calc Elapsed Time\s*:\s*\[(?<calc_time>\d+\.\d+)\]\s*seconds" | stats avg(calc_time) as AverageExecutionTime max(calc_time) as MaxExecutionTime by ScriptName, ObjectID, TemplateName | eval AverageExecutionTime = round(AverageExecutionTime, 0) | lookup script_tresholds ObjectID ScriptName MaxLTemplate as "TemplateName" OUTPUT Threshold AS "Treshold" | eval colorCode = if(AverageExecutionTime > Treshold, "#D94E17", "#55C169") | table ScriptName, AverageExecutionTime, MaxExecutionTime, Treshold, ObjectID, TemplateName, colorCode | search $ScriptName$ $ObjectID$ | sort - AverageExecutionTime</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> <format type="color" field="AverageExecutionTime"> <colorPalette type="expression">if(AverageExecutionTime > Treshold,"#D94E17", "#55C169")</colorPalette> </format> </table> </panel> </row>
... View more
Labels
02-26-2025
10:13 AM
Hello @tscroggins I have a problem with your spl request because some results are truncated, with your help, i tested this : index=aws_app_corp-it_datastage earliest=-5d@d latest=@d | spath input=_raw | search PROJECTNAME="*" INVOCATIONID="*" RUNMAJORSTATUS="*" RUNMINORSTATUS="*" | eval status=case( RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW", "Completed with Warnings", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK", "Successful Launch", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF", "Failure", RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN", "In Progress", 1=1, "Unknown") | eval tmp=JOBNAME."|".PROJECTNAME."|".INVOCATIONID."|".strftime(_time, "%Y-%m-%d %H:%M:%S") | eval date=strftime(_time, "%Y-%m-%d") | eval value=if(status=="Unknown", "Unknown", "start time: ".coalesce(strftime(strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q"), "%H:%M"), "").urldecode("%0a"). if(status=="In Progress", "Running", "end time: ".coalesce(strftime(strptime(RUNENDTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q"), "%H:%M"), ""))).urldecode("%0a").status | xyseries tmp date value | eval tmp=split(tmp, "|"), Job_Name=mvindex(tmp, 0), Project_Name=mvindex(tmp, 1), Geographical_Zone=mvindex(tmp, 2) | fields - tmp | table Job_Name Project_Name Geographical_Zone * |search Geographical_Zone="EMEA" Job_Name="*" Project_Name="*" | fillnull value="Unknown" 1306 results With the first request I send you, index=aws_app_corp-it_datastage earliest=-5d@d latest=@d | spath input=_raw | eval StartTime=strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval EndTime=strptime(RUNENDTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval Date=strftime(_time, "%Y-%m-%d") | eval Geographical_Zone=INVOCATIONID | eval Duration=round(abs(EndTime - StartTime)/60, 2) | eval Status = case( RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW", "Completed with Warnings", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK", "Completed", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF", "Failure", RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN", "In Progress", 1=1, "Unknown") | eval StartTimeFormatted=strftime(StartTime, "%H:%M:%S.%1N") | eval EndTimeFormatted=strftime(EndTime, "%H:%M:%S.%1N") | eval StartTimeDisplay=if(isnotnull(StartTimeFormatted), "Start time: ".StartTimeFormatted, "Start time: N/A") | eval EndTimeDisplay=if(isnotnull(EndTimeFormatted), "End time: ".EndTimeFormatted, "End time: N/A") | table JOBNAME PROJECTNAME Geographical_Zone _time Date RUNSTARTTIMESTAMP StartTimeDisplay RUNENDTIMESTAMP EndTimeDisplay Status | rename JOBNAME as Job_Name, PROJECTNAME as Project_Name |search Job_Name="*" Geographical_Zone="EMEA" Date="*" Project_Name="*" Status="*" |sort -Date | table Job_Name Project_Name Geographical_Zone Date StartTimeDisplay EndTimeDisplay Status | dedup Job_Name Project_Name Geographical_Zone Date StartTimeDisplay EndTimeDisplay Status 2352 results so it doesn't work because some failed jobs don't appear, for example
... View more
02-17-2025
12:42 AM
@tscroggins , is there an alternative to using xyseries because the results are limited and the results displayed are therefore truncated?
... View more
02-06-2025
12:45 PM
I'm trying to represent this: ,but I can't quite do it. I can't manage to display the last 5 days before the current date in a column. I've managed to do this, but I'd have to manage to extract the current date automatically via _time, and place it in a column, and have the start time and end time values in these columns:
... View more
02-06-2025
10:16 AM
-> "Completed with Warnings" RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW" -> "Successful Launch" RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK" -> "Failure" RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF" -> "In Progress" RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN"
... View more
02-05-2025
04:52 AM
that a log : 2025-01-20 04:38:04.142, HOSTNAME="AEW1052ETLLD2", PROJECTNAME="AQUAVISTA_UAT", JOBNAME="Jx_104_SALES_ORDER_HEADER_FILE", INVOCATIONID="HES", RUNSTARTTIMESTAMP="2025-01-19 20:18:25.0", RUNENDTIMESTAMP="2025-01-19 20:18:29.0", RUNMAJORSTATUS="FIN", RUNMINORSTATUS="FWW", RUNTYPENAME="Run"
... View more
02-03-2025
06:29 AM
Hello, I need some help for a query. I have to do this : At the moment I haven't managed to get exactly what I've asked for, I can't place the dates on the last few days in the column, I've tried several things but to no avail. All I've managed to do is this: index=aws_app_corp-it_datastage | spath input=_raw | eval Country=INVOCATIONID | eval StartTime=strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval EndTime=strptime(RUNENDTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval Duration=round(abs(EndTime - StartTime)/60, 2) | eval Status = case( RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW", "Completed with Warnings", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK", "Successful Launch", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF", "Failure", RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN", "In Progress", 1=1, "Unknown" ) | eval StartTimeFormatted=strftime(StartTime, "%H:%M") | eval EndTimeFormatted=strftime(EndTime, "%H:%M") | eval StartTimeDisplay=if(isnotnull(StartTimeFormatted), "Start time: ".StartTimeFormatted, "Start time: N/A") | eval EndTimeDisplay=if(isnotnull(EndTimeFormatted), "End time: ".EndTimeFormatted, "End time: N/A") | table JOBNAME PROJECTNAME Country _time StartTimeDisplay EndTimeDisplay Status | rename JOBNAME as Job, PROJECTNAME as App | sort -_time |search Country="*" App="*" Status="*"
... View more
Labels
- Labels:
-
using Enterprise Security
12-18-2024
09:03 AM
Hello, I need your help with timepicker values. I'd like to be able to keep some and hide others. I would like to hide all times linked to real time : "today,..." In the predefined periods : Yesterday Since the start of the week Since the beginning of the working week From the beginning of the month Year to date Yesterday Last week The previous working week The previous month The previous year Last 7 days Last 30 days Other Anytime I would to have also : Period defined by a date Date and period Advanced
... View more
12-12-2024
02:46 AM
This : <condition match="$row.Services$ == "s3-bucket""> works fine
... View more
12-09-2024
11:57 PM
<condition match="$Services$ == "vpc""> </condition>
<!--eval token="VPC_details">if(match($Services$, "vpc"), "true", "false")</eval>
<set token="VPC_details"></set>
<unset token="S3_details"></unset>
<unset token="EC2_details"></unset-->
<condition>
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&VPC_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link>
</condition>
I tried this but it doesn't work
... View more
12-09-2024
10:18 AM
Hello,
Than your for your answer but it doesn't work.
panel 1 :
<row>
<panel>
<title>AWS Services Monitoring</title>
<table>
<search>
<!--done>
<set token="Services">$click.name$</set>
</done-->
<query>index="aws_vpc_corp-it_security-prd" sourcetype="aws:s3:csv" ShortConfigRuleName="*"
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
|search Services!=Other
| lookup aws_security_all_account_ids account_id AS AccountId OUTPUT name
| table name AccountId Services ShortConfigRuleName ComplianceType OrderingTimestamp ResultRecordedTime
| dedup AccountId Services ShortConfigRuleName ComplianceType | rename name as "AWS Account Name", "ComplianceType" as "Status", "OrderingTimestamp" as "Last Check", "ResultRecordedTime" as "Next Check"
|fillnull value="N/A"
|search $ResourceName$ $Services$ $Status$</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<option name="wrap">true</option>
<format type="color" field="Status">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<drilldown>
<condition match="$row.Services$ != "s3-bucket"">
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&S3_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link>
</condition>
<condition match="$row.Services$ != "vpc"">
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&VPC_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link>
</condition>
<condition match="$row.Services$ != "ec2"">
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&EC2_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link>
</condition>
</drilldown>
</table>
</panel>
</row>
panel 2:
<row>
<panel depends="$S3_details$">
<title>S3 DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
<panel depends="$VPC_details$">
<title>VPC DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
<panel depends="$EC2_details$">
<title>EC2 DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
<panel depends="$SERVICES_details$">
<title>SERVICES DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
</row>
But it does'nt work, when I select the vpc filter, I arrive at the S3_details view, instead of arriving at VPC_details when I select the s3-bucket filter, I go to VPC_details instead of S3_details when I select the ec2 filter, I end up on S3_details instead of EC2_details
... View more
12-06-2024
10:17 AM
Hello, I want to make a drilldown with those services : and I have to apply a drilldow for (s3-bucket / vpc / ec2) I've tried several things but nothing works <row> <panel> <title>AWS Services Monitoring</title> <table> <search> <!--done> <set token="Services">$click.name$</set> </done--> <query>index="aws_vpc_corp-it_security-prd" sourcetype="aws:s3:csv" ShortConfigRuleName="*" | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") |search Services!=Other | lookup aws_security_all_account_ids account_id AS AccountId OUTPUT name | table name AccountId Services ShortConfigRuleName ComplianceType OrderingTimestamp ResultRecordedTime | dedup AccountId Services ShortConfigRuleName ComplianceType | rename name as "AWS Account Name", "ComplianceType" as "Status", "OrderingTimestamp" as "Last Check", "ResultRecordedTime" as "Next Check" |fillnull value="N/A" |search $ResourceName$ $Services$ $Status$</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="count">100</option> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <option name="wrap">true</option> <format type="color" field="Status"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <drilldown> <condition match="$Services$ != "s3-bucket""> <set token="Services">s3-bucket</set> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&S3_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link> </condition> <condition match="$Services$ != "vpc""> <set token="Services">vpc</set> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&VPC_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link> </condition> <condition match="$Services$ != "ec2""> <set token="Services">ec2</set> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&AccountId=$row.AccountId$&Services=$row.Services$&EC2_details=true&earliest=$earliest$&latest=$latest$&Status=$row.Status$</link> </condition> </drilldown> </table> </panel> </row> The drilldown is supposed to ‘point’ to a second dashboard in the following way: </panel> <panel depends="$VPC_details$"> <title>VPC DETAILS : ShortConfigRuleName=$ShortConfigRuleName$ Service=$Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> <panel depends="$EC2_details$"> <title>EC2 DETAILS : ShortConfigRuleName=$ShortConfigRuleName$ Service=$Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> <panel depends="$SERVICES_details$"> <title>SERVICES DETAILS : ShortConfigRuleName=$ShortConfigRuleName$ Service=$Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> </row> When s3-bucket is selected, we point to the ‘S3_details’ panel, and so on The link target works fine, but it's the click value at the beginning with the service selection that doesn't work
... View more
Labels
- Labels:
-
stats
10-21-2024
08:21 AM
Hello,
I have a question about customising my time picker. I'd like to display two panels, one for 24 hours and one for 1 month. And I'd like panel 1 to be displayed when the teps selected is 24h, and the second panel to be displayed when the time picker is for the current month.
I tried this, but it doesn't work :
<form version="1.1" theme="light">
<label>dev_vwt_dashboards_uc47</label>
<init>
<set token="time_range">-24h@h</set>
<set token="date_connection">*</set>
<set token="time_connection">*</set>
<set token="IPAddress">*</set>
<set token="User">*</set>
<set token="AccessValidation">*</set>
</init>
<!--fieldset autoRun="false" submitButton="true">
<input type="time" token="field1" searchWhenChanged="true">
<label>Period</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset-->
<fieldset autoRun="false" submitButton="true">
<input type="dropdown" token="time_range" searchWhenChanged="true">
<label>Select Time Range</label>
<choice value="-24h@h">Last 24 hours</choice>
<!--choice value="@mon">Since Beginning of Month</choice-->
<default>Last 24 hours</default>
<!--change>
<condition value="-24h@h">
<set token="tokShowPanel1">true</set>
<unset token="tokShowPanel2"></unset>
</condition>
<condition value="@mon">
<unset token="tokShowPanel1"></unset>
<set token="tokShowPanel2">true</set>
</condition>
</change-->
</input>
</fieldset>
<row>
<panel>
<input type="text" token="date_connection" searchWhenChanged="true">
<label>date_connection</label>
<default>*</default>
<prefix>date_connection="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
<input type="text" token="time_connection" searchWhenChanged="true">
<label>time_connection</label>
<default>*</default>
<prefix>time_connection="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
<input type="text" token="IPAddress" searchWhenChanged="true">
<label>IPAddress</label>
<default>*</default>
<prefix>IPAddress="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
<input type="text" token="User" searchWhenChanged="true">
<label>User</label>
<default>*</default>
<prefix>User="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="AccessValidation" searchWhenChanged="true">
<label>AccessValidation</label>
<default>*</default>
<prefix>AccessValidation="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
<choice value="*">All</choice>
<choice value="failure">failure</choice>
<choice value="success">success</choice>
<choice value="denied">denied</choice>
</input>
</panel>
</row>
<row>
<panel id="AD_Users_Authentication_last_24_hours" depends="$tokShowPanel1$">
<title>AD Users Authentication</title>
<table>
<search>
<query>|loadjob savedsearch="anissa.bannak.ext@abc.com:search:dev_vwt_saved_search_uc47_AD_Authentication_Result" |rename UserAccountName as "User" |search $date_connection$ $time_connection$ $IPAddress$ $User$ $AccessValidation$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">100</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="Last Connection Status">
<colorPalette type="map">{"failure":#D94E17,"success":#55C169}</colorPalette>
</format>
<format type="color" field="Access Validation">
<colorPalette type="map">{"success":#55C169,"failure":#D94E17}</colorPalette>
</format>
<format type="number" field="AuthenticationResult"></format>
<format type="color" field="AuthenticationResult">
<colorPalette type="map">{"failure":#D94E17,"success":#55C169}</colorPalette>
</format>
<format type="color" field="Access_Validation">
<colorPalette type="map">{"success":#55C169,"failure":#D41F1F}</colorPalette>
</format>
<format type="color" field="AccessValidation">
<colorPalette type="map">{"success":#118832,"failure":#D41F1F}</colorPalette>
</format>
<format type="color" field="last_connection_status">
<colorPalette type="map">{"success":#55C169,"failure":#D94E17}</colorPalette>
</format>
</table>
</panel>
</row>
<row>
<panel id="AD_Users_Authentication_1_month" depends="$tokShowPanel2$">
<title>AD Users Authentication</title>
<table>
<search>
<query>|loadjob savedsearch="anissa.bannak.ext@abc.com:search:dev_vwt_saved_search_uc47_AD_Authentication_Result" |rename UserAccountName as "User" |search $date_connection$ $time_connection$ $IPAddress$ $User$ $AccessValidation$</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="Last Connection Status">
<colorPalette type="map">{"failure":#D94E17,"success":#55C169}</colorPalette>
</format>
<format type="color" field="Access Validation">
<colorPalette type="map">{"success":#55C169,"failure":#D94E17}</colorPalette>
</format>
<format type="number" field="AuthenticationResult"></format>
<format type="color" field="AuthenticationResult">
<colorPalette type="map">{"failure":#D94E17,"success":#55C169}</colorPalette>
</format>
<format type="color" field="Access_Validation">
<colorPalette type="map">{"success":#55C169,"failure":#D41F1F}</colorPalette>
</format>
<format type="color" field="AccessValidation">
<colorPalette type="map">{"success":#118832,"failure":#D41F1F}</colorPalette>
</format>
<format type="color" field="last_connection_status">
<colorPalette type="map">{"success":#55C169,"failure":#D94E17}</colorPalette>
</format>
</table>
</panel>
</row>
</form>
... View more
Labels
- Labels:
-
using Splunk Enterprise
07-09-2024
01:44 AM
No that's not it. I want my dropdown to be powered by a search but which will be defined in a js. Something like this?
... View more
07-08-2024
08:05 AM
Hello, I need your help for something. I want to get a dropdown via using a result from a search with using js. I want the dropdown to take the search result: index=_internal |stats count by source |table source Thank you so much
... View more
07-01-2024
07:10 AM
Ok, I understand but you don't know if an other way exists ? For example , modify the limits.conf in this way : or try to work with transforms.conf : What do you think ? Thank you so much
... View more
07-01-2024
06:06 AM
I'm not sure that I'm understand correctly. Can you explain me more please that what's you have in mind ? Thank you so much
... View more
07-01-2024
05:51 AM
1 Karma
Hello, I have a problem with the dropdown menu limit which displays a maximum of 1000 values.
I need to display a list of 22000 values and I don't know how to do it. Thank you so much
... View more
- Tags:
- search
Labels
- Labels:
-
Dashboard Studio
-
panel
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-02-2025
06:29 AM
|
