<form version="1.1" theme="light"> <label>Akamai WAF Dashboard</label> <search id="base_search"> <query>index="waf_app_*" sourcetype=akamai_waf |fields * |search attackData.configId=$configid$ source=$source$ </query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <description></description> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="configid" searchWhenChanged="true"> <label>Security Configuration ID</label> <choice value="*">All</choice> <fieldForLabel>attackData.configId</fieldForLabel> <fieldForValue>attackData.configId</fieldForValue> <search> <query>index="waf_app_*" sourcetype=akamai_waf source=$source$ | stats count by attackData.configId</query> <earliest>-5m</earliest> <latest>now</latest> </search> <default>*</default> <initialValue>*</initialValue> </input> <input type="dropdown" token="source" searchWhenChanged="true"> <label>Service Name</label> <choice value="*">All</choice> <fieldForLabel>source</fieldForLabel> <fieldForValue>source</fieldForValue> <search> <query>index="waf_app_*" sourcetype=akamai_waf attackData.configId=$configid$ |stats count by source</query> <earliest>-5m@m</earliest> <latest>now</latest> </search> <default>*</default> <initialValue>*</initialValue> </input> <input type="time" token="time"> <label>Select Time Range</label> <default> <earliest>-5m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Top 10 Attack Rule IDs</title> <chart> <search base="base_search"> <query> | top limit=10 attackData.rules{}.id | rename attackData.rules{}.id as "Rule ID"</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Top 10 Attack Rule Tags</title> <chart> <search base="base_search"> <query> |stats count by attackData.rules{}.tag |sort - count |head 10</query> </search> <option name="charting.chart">pie</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Rule Messages</title> <table> <search base="base_search"> <query>| stats count by attackData.rules{}.message |sort - count |head 10</query> </search> <option name="dataOverlayMode">heatmap</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> </table> </panel> <panel> <title>Rule Action by Count</title> <chart> <search base="base_search"> <query> | stats count by attackData.rules{}.action |sort - count</query> </search> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">minmax</option> <option name="charting.chart.sliceCollapsingThreshold">0.05</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Rule IDs Trend (5 min)</title> <chart> <search base="base_search"> <query> | timechart count(attackData.rules{}.id) span=5min</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Status Code Trend</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.status</query> </search> <option name="charting.chart">pie</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Top 10 IP Addresses</title> <chart> <search base="base_search"> <query> | stats count by attackData.clientIP |sort - count |head 10</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Top 10 HTTP Path Details</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.path |sort - count |head 10</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>HTTP Method Count</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.method |sort - count </query> </search> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> </chart> </panel> </row> </form> ... View more

raw data ... View more

  Dashboard panel looks in this way. But when they click on any value (eg alert), below is the data coming -  But Ideally they want to see only alert related log but remaining 2 are also coming in log. ... View more

@isoutamo @PickleRick so everytime I push configuration bundle from CM to indexers, rolling restart will be happened everytime for indexers?  ... View more

@isoutamo @PickleRick @what could be the consequences for HEC data if indexers get rolling restarts everytime? Loss of data? Loss of token? Please explain ... View more

@PickleRick @two separate apps - one with general HEC input settings, another with a token definition for your particular input needs) with CM in an app which is pushed to indexers... So here I created two apps under etc/master-apps and in one enabled http and in other given token and other parameters. So once we push this to indexers.. HEC will be enabled right in indexers? Or do we need to edit each indexer etc/apps/http_input/local/inputs.conf and give [http] disabled = 0 in order to enable? Or already pushed app will do the similar work? ... View more

@PickleRick we already have HF configured in our environment. So how to do it? ... View more

Hi @PickleRick , thanks for the options. I think we are going with the 1st option. we are going to create AWS ELB for load balancing. But I am confused how to create HEC token on all indexers with the same token? My approach is this please correct me if I am wrong... Going to configure HEC on cluster manager first.. Then take those inputs.conf from etc/apps/http_input/local/ inputs.conf and paste it under etc/manager-apps/hec_input/local/inputs.conf and paste it here. But won't enable http in CM. (disabled = 1 for http) But http:inputname will be enabled (disabled = 0) will it still index HEC data in cluster manager (which should not do). Then push this configurations (app with inputs.conf) through configuration bundle to all my indexers so that each indexer will receive this inputs.conf. additionally should I need to go to each indexer and give [http] disabled = 0 to enable HEC in each indexer in order to receive data? Please confirm and correct me if I am wrong anywhere  ... View more

@marnall Where should I create HEC token through web interface? In cluster manager or deployment server? And do we need to copy inputs.conf which is generated initially to each of the indexers? And once we copy it do we need to remove the data input created initially because of we don't remove data will index to that component also right? Please confirm? ... View more

@gcusello this is working. and how to make this extraction at index time I mean while indexing this field should be extracted? Please guide me. ... View more

@kiran_panchavat always v is not guaranteed before fqdn as per user ... View more

Hi @gcusello , For some reason, the provided regex is not working. Can you please re check?     ... View more

This is want present in that app's server.conf [cachemanager] max_concurrent_uploads = 8 #eviction_policy = noevict ... View more

but still, remember that you have to cache the data somewhere. ---> cache the data means? Can you please brief on this... With 20TB/day searches over two-three days might prove to be difficult to handle locally. ---> Can't SmartStore help us here? Locally only hot bucket will be there right remaining days will be automatically rolled to S3 buckets and we can search from there no?  ... View more

@PickleRick You also need to take into account the fact that when you ingest that amount of data you have to upload it to your S3 tenant. Depending on your whole infrastructure that might prove to be difficult when you hit those peaks. ---> I am thinking S3 bucket storage is something unlimited because when I am checking MC it is showing Home path and Cold Path index storage is unlimited... Is it wrong assumption?      ... View more

@PickleRick yes I do understand your point I won't make decisions here but I want to gain knowledge from experts here because as I told I am still learning things....  So my understanding is however we store old data in S3 buckets once they roll from hot to warm... So I didn't understand why indexers are considering undersized (6) because however indexers not storing data here right at the end S3 bucket stores 90% of data (even if 20TB/day comes occasionally)? Are we looking in terms of CPU whether indexers can handle unusual 20TB of day at a time? What will be the consequences for that? And I believe index size default of 500 GB will not fill at all because Maxdatasize is set to 750 MB which means new data which is crossing 750 MB will roll over to warm buckets (which are there in S3 bucket)? Sorry if I am speaking wrong but that's my understanding.  ... View more

@gcusello @isoutamo @PickleRick @richgalloway  Update what I recently saw in my architecture: indexes.conf in Cluster Manager: [new_index] homePath = volume:primary/$_index_name/db coldPath = volume:primary/$_index_name/colddb thawedPath = $SPLUNK_DB/$_index_name/thaweddb volumes indexes.conf: [volume:primary] path = $SPLUNK_DB #maxVolumeDataSizeMB = 6000000 there is one more app which is pushing to indexers with indexes.conf: (not at all aware of this)[default] remotePath = volume:aws_s3_vol/$_index_name maxDataSize = 750 [volume:aws_s3_vol] storageType = remote path = s3://conn-splunk-prod-smartstore/ remote.s3.auth_region = eu-west-1 remote.s3.bucket_name = conn-splunk-prod-smartstore remote.s3.encryption = sse-kms remote.s3.kms.key_id = XXXX remote.s3.supports_versioning = false So I believe that we are using Splunk Smartstore to store our data... So in this case can we accommodation this project which receives 20TB of data per day occasionally? Please guide me ... View more

@PickleRick And will data be deleted in S3 if it reaches to any limit? I mean we didn't set frozentimeperiodinsecs so by default it is 6 years so the older data stays for 6 years in S3? ... View more

Thanks for this... So my understanding is my index size which is of 500GB by default will never fill at all because once it reaches to 750 MB (Maxdatasize) it will roll over to warm bucket which is in S3 bucket? Am I correct? ... View more