<form theme="dark">
  <label>Cyber Fusion Center - Data Source Monitoring</label>
  <description>CIS Analytics | Corporate Information Security</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="mytime" searchWhenChanged="true">
      <label>Select a Time Range</label>
      <default>
        <earliest>-4h@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Domain Controllers</title>
      <single>
        <search>
          <query>| tstats count WHERE (index=wineventlog*) OR (index=windows_snare) BY host _time 
| search 
    [| inputlookup win_srvrs_4768_4769.csv | fields host] 
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60) 
| timechart span=60m@m dc(host) as DeviceCount 
| fillnull DeviceCount value=0</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf58f39","0x53a051","0x006d9c"]</option>
        <option name="rangeValues">[51,77,103]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Hosts Reporting  (103 Expected)</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="winindex">index=wineventlog* OR index=windows_snare</set>
          <unset token="myindex"></unset>
          <unset token="chptindex"></unset>
          <set token="myfilters"></set>
          <set token="mylabel">Domain Controllers</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <title>Forcepoint Proxy</title>
      <single>
        <search>
          <query>| tstats dc(host) as DeviceCount WHERE index=websense BY _time 
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60)
| timechart span=60m@m  max(DeviceCount) as DeviceCount
| fillnull max(DeviceCount) value=0</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf8be34","0x53a051","0x006d9c"]</option>
        <option name="rangeValues">[9,14,19]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Hosts Reporting  (20 expected)</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="myindex">index=websense</set>
          <set token="myfilters"></set>
          <unset token="chptindex"></unset>
          <unset token="winindex"></unset>
          <set token="mylabel">Forcepoint Proxy</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <title>CheckPoint Firewall</title>
      <single>
        <search>
          <query>| inputlookup cfc_firewall_feed.csv | eval isnew="YES"
| join type=outer dvc [ | inputlookup  cfc_hosts_to_monitor.csv | stats values(*) as * by dvc | eval isnew="NO"]
| eval isnew=if(mvcount(isnew) =1,isnew,"OK")
| search (isnew="OK") OR (isnew="NO") 
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60)
| timechart span=1h dc(dvc) as DeviceCount
| fillnull DeviceCount value=0</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf8be34","0x53a051","0x006d9c"]</option>
        <option name="rangeValues">[97,146,200]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Reporting  (195 Expected DVC)</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="chptindex">checkpoint</set>
          <unset token="myindex"></unset>
          <unset token="winindex"></unset>
          <set token="myfilters"></set>
          <set token="mylabel">CheckPoint Firewall</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <title>Cisco ASA</title>
      <single>
        <search>
          <query>| tstats dc(host) as DeviceCount WHERE index=cisco_asa BY _time
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60)
| timechart span=60m@m  max(DeviceCount) as DeviceCount
| fillnull max(DeviceCount) value=0</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf8be34","0x53a051","0x006d9c"]</option>
        <option name="rangeValues">[15,22,30]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Hosts Reporting  (30 expected)</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="myindex">index=cisco_asa</set>
          <set token="myfilters">host!="*fpwr*"</set>
          <unset token="chptindex"></unset>
          <unset token="winindex"></unset>
          <set token="mylabel">Cisco ASA</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <title>Citrix NetScaler</title>
      <single>
        <search>
          <query>| tstats dc(host) as DeviceCount WHERE index=citrix_netscaler BY _time
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60)
| timechart span=60m@m  max(DeviceCount) as DeviceCount
| fillnull max(DeviceCount) value=0</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf8be34","0x53a051","0x006d9c"]</option>
        <option name="rangeValues">[13,20,27]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Hosts Reporting  (27 expected)</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="myindex">index=citrix_netscaler</set>
          <unset token="chptindex"></unset>
          <unset token="winindex"></unset>
          <set token="myfilters"></set>
          <set token="mylabel">Citrix NetScaler</set>
        </drilldown>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>F5 DNS</title>
      <single>
        <search>
          <query>| tstats dc(host) as DeviceCount WHERE index=f5_dns BY _time
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60)
| timechart span=60m@m  max(DeviceCount) as DeviceCount
| fillnull max(DeviceCount) value=0</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf7bc38","0x53a051","0x006d9c"]</option>
        <option name="rangeValues">[4,6,9]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Hosts Reporting  (9 expected)</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="myindex">index=f5_dns</set>
          <unset token="chptindex"></unset>
          <unset token="winindex"></unset>
          <set token="myfilters"></set>
          <set token="mylabel">F5 DNS</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <title>Symantec Endpoint Protection</title>
      <single>
        <search>
          <query>| tstats dc(host) as DeviceCount WHERE index=sep BY _time
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60)
| timechart span=60m@m  max(DeviceCount) as DeviceCount
| fillnull DeviceCount value=0</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf8be34","0x53a051","0x006d9c"]</option>
        <option name="rangeValues">[0,1,2]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Hosts Reporting  (2 expected)</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="myindex">index=sep</set>
          <unset token="chptindex"></unset>
          <unset token="winindex"></unset>
          <set token="myfilters"></set>
          <set token="mylabel">Symantec Endpoint Protection</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <title>Sourcefire</title>
      <single>
        <search>
          <query>| tstats dc(host) as DeviceCount WHERE index=estreamer sourcetype="cisco:estreamer:data" BY _time
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60)
| timechart span=60m@m  max(DeviceCount) as DeviceCount
| fillnull max(DeviceCount) value=0</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0x53a051","0x006d9c"]</option>
        <option name="rangeValues">[0,1]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Hosts Reporting  (1 expected)</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="myindex">index=estreamer</set>
          <set token="myfilters">sourcetype="cisco:estreamer:data"</set>
          <unset token="chptindex"></unset>
          <unset token="winindex"></unset>
          <set token="mylabel">Sourcefire</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <title>Tanium</title>
      <single>
        <search>
          <query>| tstats dc(host) as DeviceCount WHERE index=tanium BY _time 
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60)
| timechart span=60m@m max(DeviceCount) 
| fillnull max(DeviceCount) value=0</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf8be34","0x53a051","0x006d9c"]</option>
        <option name="rangeValues">[0,1,2]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Hosts Reporting  (2 expected)</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="myindex">index=tanium</set>
          <unset token="chptindex"></unset>
          <unset token="winindex"></unset>
          <set token="myfilters"></set>
          <set token="mylabel">Tanium</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <title>FireEye</title>
      <single>
        <search>
          <query>| tstats dc(host) as DeviceCount WHERE index=fireeye by _time 
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60)
| timechart span=60m@m max(DeviceCount) as DeviceCount
| fillnull DeviceCount value=0</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0x53a051","0x006d9c"]</option>
        <option name="rangeValues">[0,1]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Hosts Reporting  (1 expected)</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="myindex">index=fireeye</set>
          <unset token="chptindex"></unset>
          <unset token="winindex"></unset>
          <set token="myfilters"></set>
          <set token="mylabel">FireEye</set>
        </drilldown>
      </single>
    </panel>
  </row>
  <row>
    <panel depends="$myindex$">
      <title>$mylabel$ - Events by Host - Last 24 hours</title>
      <chart>
        <search>
          <query>| tstats count AS EventCount WHERE $myindex$ $myfilters$ BY _time host
| search [| inputlookup cfc_crit_data_srcs.csv |search $myindex$ | table host]
| timechart max(EventCount) by host useother=f limit=20</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel depends="$myindex$">
      <title>Hosts reporting data to $mylabel$ index</title>
      <input type="dropdown" token="hostfilter" searchWhenChanged="true">
        <label>Host Filter</label>
        <choice value="(isnew=&quot;*&quot;)">All Hosts</choice>
        <choice value="(isnew=&quot;OK&quot;) OR (isnew=&quot;NO&quot;)">Expected Hosts</choice>
        <choice value="(isnew=&quot;YES&quot;)">New Hosts</choice>
        <choice value="(isnew=&quot;OK&quot;)">Reporting Hosts</choice>
        <choice value="(isnew=&quot;NO&quot;)">Missing Hosts</choice>
        <default>(isnew="*")</default>
        <initialValue>(isnew="*")</initialValue>
      </input>
      <table>
        <search>
          <query> | inputlookup cfc_crit_data_srcs.csv 
                  | search $myindex$ $myfilters$
                  | eval isnew="NO" 
                  | eval ps4=now() 
                  | eval ps2=0 
                  | append 
                      [| tstats latest(_time) AS ps1 count AS ps2 WHERE $myindex$ $myfilters$ BY host index sourcetype 
                      | eval host=if(match("$myindex$","index=tanium"),lower(host),if(match("$myindex$","index=sep"),lower(host),(host))) 
                      | eval ps4=now() 
                      | eval ps5= round((ps4-ps1)/60,2) 
                      | convert ctime(ps1) 
                      | table host index sourcetype ps2 ps1 ps4 ps5 
                      | sort - ps5 
                      | eval isnew="YES" ] 
                  | stats sum(ps2) as event_count, min(ps4) as current_time, min(ps1) as latest_event_time, min(ps5) as no_data_4, values(isnew) as isnew by host 
                  | eval isnew=if(mvcount(isnew)=1,isnew,"OK") 
                  | eval no_data_4=if(isnew="NO","&gt; 24 hrs",no_data_4) 
                  | eval no_data_4=if(isnew="YES","NEW",no_data_4) 
                  | convert ctime(current_time) 
                  | sort - no_data_4 
                  | search $hostfilter$
                  | fields - isnew 
                  | rename host AS "Host", event_count AS "Event Count (Last 24 Hrs)", current_time AS "Current Time", latest_event_time AS "Last Event Time", no_data_4 AS "Time since last event(in Minutes)"
                </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">30</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <format type="color" field="Time since last event(in Minutes)">
          <colorPalette type="expression">if(value &gt;= 0 AND value &lt; 20, "#53A051", if(value &gt;= 20 AND value &lt; 30, "#F8BE34", if(value &gt;= 30, "#D93F3C", if(value == "&gt; 24 hrs", "#D93F3C", if(value == "NEW", "#006d9C", "")))))</colorPalette>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$winindex$">
      <title>$mylabel$ - Events by Host - Last 24 hours</title>
      <chart>
        <search>
          <query>| tstats count AS EventCount WHERE $winindex$ $myfilters$ BY _time host
| search [| inputlookup cfc_crit_data_srcs.csv |search $winindex$ | table host]
| timechart max(EventCount) by host useother=f limit=20</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel depends="$winindex$">
      <title>Hosts reporting data to $mylabel$ index</title>
      <input type="dropdown" token="hostfilter" searchWhenChanged="true">
        <label>Host Filter</label>
        <choice value="(isnew=&quot;*&quot;)">All Hosts</choice>
        <choice value="(isnew=&quot;OK&quot;) OR (isnew=&quot;NO&quot;)">Expected Hosts</choice>
        <choice value="(isnew=&quot;YES&quot;)">New Hosts</choice>
        <choice value="(isnew=&quot;OK&quot;)">Reporting Hosts</choice>
        <choice value="(isnew=&quot;NO&quot;)">Missing Hosts</choice>
        <default>(isnew="*")</default>
        <initialValue>(isnew="*")</initialValue>
      </input>
      <table>
        <search>
          <query> | inputlookup cfc_crit_data_srcs.csv 
                  | search $winindex$ $myfilters$
                  | eval isnew="NO" 
                  | eval ps4=now() 
                  | eval ps2=0 
                  | append 
                      [| tstats latest(_time) AS ps1 count AS ps2 WHERE $winindex$ $myfilters$ BY host index sourcetype 
                       | search 
                          [| inputlookup win_srvrs_4768_4769.csv | fields host] 
                      | eval ps4=now() 
                      | eval ps5= round((ps4-ps1)/60,2) 
                      | convert ctime(ps1) 
                      | table host index sourcetype ps2 ps1 ps4 ps5 
                      | sort - ps5 
                      | eval isnew="YES" ] 
                  | stats sum(ps2) as event_count, min(ps4) as current_time, min(ps1) as latest_event_time, min(ps5) as no_data_4, values(isnew) as isnew by host 
                  | eval isnew=if(mvcount(isnew)=1,isnew,"OK") 
                  | eval no_data_4=if(isnew="NO","&gt; 24 hrs",no_data_4) 
                  | eval no_data_4=if(isnew="YES","NEW",no_data_4) 
                  | convert ctime(current_time) 
                  | sort - no_data_4 
                  | search $hostfilter$
                  | fields - isnew 
                  | rename host AS "Host", event_count AS "Event Count (Last 24 Hrs)", current_time AS "Current Time", latest_event_time AS "Last Event Time", no_data_4 AS "Time since last event(in Minutes)"
                </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">30</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <format type="color" field="Time since last event(in Minutes)">
          <colorPalette type="expression">if(value &gt;= 0 AND value &lt; 20, "#53A051", if(value &gt;= 20 AND value &lt; 30, "#F8BE34", if(value &gt;= 30, "#D93F3C", if(value == "&gt; 24 hrs", "#D93F3C", if(value == "NEW", "#006d9C", "")))))</colorPalette>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$chptindex$">
      <title>Event reporting to Splunk for $mylabel$ index By host - (limit of 20) Last 24 hours -- by CMA</title>
      <chart>
        <search>
          <query>| tstats count AS EventCount WHERE index=$chptindex$ BY _time host
                 | timechart max(EventCount) by host useother=f limit=20</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel depends="$chptindex$">
      <title>Hosts reporting data to $mylabel$ index -- by Device</title>
      <input type="dropdown" token="hostfilter" searchWhenChanged="true">
        <label>Host Filter</label>
        <choice value="(isnew=&quot;*&quot;)">All Hosts</choice>
        <choice value="(isnew=&quot;OK&quot;) OR (isnew=&quot;NO&quot;)">Expected Hosts</choice>
        <choice value="(isnew=&quot;YES&quot;)">New Hosts</choice>
        <choice value="(isnew=&quot;OK&quot;)">Reporting Hosts</choice>
        <choice value="(isnew=&quot;NO&quot;)">Missing Hosts</choice>
        <default>(isnew="*")</default>
        <initialValue>(isnew="*")</initialValue>
      </input>
      <table>
        <search>
          <query> 
                  | inputlookup cfc_hosts_to_monitor.csv 
                  | stats values(*) as * by dvc policy_name 
                  | eval isnew="NO" 
                  | append 
                      [| inputlookup cfc_firewall_feed_4h.csv 
                      | eval isnew="YES"] 
                  | stats values(*) AS * count by dvc policy_name 
                  | eval isnew=if(mvcount(isnew)=1,isnew,"OK") 
                  | eval no_data_4=if(isnew="NO","&gt; 24 hrs",no_data_4) 
                  | eval no_data_4=if(isnew="YES","NEW",no_data_4) 
                  | sort - no_data_4 
                  | search $hostfilter$
                  | table policy_name dvc mgmt event_count current_time latest_event_time no_data_4  
                  | rename policy_name AS "Firewall Policy" dvc AS "Device" mgmt AS "CMA" event_count AS "Event Count (Last 24 Hours)" current_time AS "Current Time" latest_event_time AS "Latest Event Time" no_data_4 AS "Time since last event (in Minutes)"
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">30</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <format type="color" field="Time since last event (in Minutes)">
          <colorPalette type="expression">if(value &gt;= 0 AND value &lt; 20, "#53A051", if(value &gt;= 20 AND value &lt; 30, "#F8BE34", if(value &gt;= 30, "#D93F3C", if(value == "&gt; 24 hrs", "#D93F3C", if(value == "NEW", "#006d9C", "")))))</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</form>