<form>
  <label>CIS - QA (v 1.0)</label>
  <description>CIS Analytics | Corporate Information Security</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="mytime">
      <label>Select your desired time range</label>
      <default>
        <earliest>-12h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>FWD Queue Size</title>
      <chart>
        <search>
          <query>index=_internal host=*splapp* "group=queue" name=tcpout_*|timechart avg(current_size) span=5m by host useother=f limit=72</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Splunk SearchHead App Status</title>
        <search>
          <query>| rest /services/apps/local splunk_server_group=dmc_searchheadclustergroup_WF_PROD | search install_source_checksum=* | fields title, label, splunk_server, install_source_checksum | rename title as app_name, install_source_checksum as checksum   | append [ | rest /services/apps/deploy splunk_server_group=dmc_group_shc_deployer   | fields title, splunk_server, checksum | rename title as app_name] | stats values(checksum) as checksum, values(label) as label by app_name | eval status = if(mvcount(checksum) &gt; 1, "Out of Synchronization!", "Synchronized") | fields label status app_name | sort - status | rename label as App, status as "Status", app_name as "App Folder"</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Heavy Forwarder delay - Status</title>
        <search>
          <query>index=_internal host=*splapp* | stats latest(_time) AS ps1 count AS ps2 BY host | eval ps3="Splunk" | eval ps6="_internal" | eval ps4=now() | eval ps5= round((ps4-ps1)/60,2) | convert ctime(ps4)  | convert ctime(ps1)  | table ps3 ps6 host ps2 ps1 ps4 ps5 | search ps5 &gt; 0 | sort - ps5 | rename ps1 as "Latest Event Time", ps2 as "N# Of Events ", ps3 as Node, ps4 as "Current Time", ps5 as "No Data For (Minutes)", ps6 as Index, host as "Hostname Reporting" | fields - Node Index</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <format type="number" field="No Data For (Minutes)">
          <option name="unit">Minute(s)</option>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Apps Pushed</title>
      <input type="text" token="my_receiver" searchWhenChanged="true">
        <label>Provide a Server name to filter</label>
        <default>*</default>
        <prefix>*</prefix>
        <suffix>*</suffix>
        <initialValue>*</initialValue>
      </input>
      <table>
        <search>
          <query>index=_internal DeployedApplication sourcetype=splunkd app=* 
| stats max(_time) as when by app host to |convert ctime(when) | sort - when 
| search host=$my_receiver$
| rename app as "Pushed App", host as "Receiving Server", to as "App Location", when as "Time Last Received"</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <event>
        <title>Errors</title>
        <search>
          <query>index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" ERROR</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <fields>[]</fields>
        <option name="count">10</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| rest /services/admin/summarization by_tstats=t splunk_server=local count=0 
| eval datamodel=replace('summary.id',"DM_".'eai:acl.app'."_","") 
| join type=left datamodel 
    [| rest /services/data/models splunk_server=local count=0 
    | table title acceleration.cron_schedule eai:digest 
    | rename title as datamodel 
    | rename acceleration.cron_schedule AS cron] 
| table datamodel eai:acl.app summary.access_time summary.is_inprogress summary.size summary.latest_time summary.complete summary.buckets_size summary.buckets cron summary.last_error summary.time_range summary.id summary.mod_time eai:digest summary.earliest_time summary.last_sid summary.access_count 
| rename summary.id AS summary_id, summary.time_range AS retention, summary.earliest_time as earliest, summary.latest_time as latest, eai:digest as digest 
| rename summary.* AS *, eai:acl.* AS * 
| sort datamodel 
| rename access_count AS Datamodel_Acceleration.access_count access_time AS Datamodel_Acceleration.access_time app AS Datamodel_Acceleration.app buckets AS Datamodel_Acceleration.buckets buckets_size AS Datamodel_Acceleration.buckets_size cron AS Datamodel_Acceleration.cron complete AS Datamodel_Acceleration.complete datamodel AS Datamodel_Acceleration.datamodel digest AS Datamodel_Acceleration.digest earliest AS Datamodel_Acceleration.earliest is_inprogress AS Datamodel_Acceleration.is_inprogress last_error AS Datamodel_Acceleration.last_error last_sid AS Datamodel_Acceleration.last_sid latest AS Datamodel_Acceleration.latest mod_time AS Datamodel_Acceleration.mod_time retention AS Datamodel_Acceleration.retention size AS Datamodel_Acceleration.size summary_id AS Datamodel_Acceleration.summary_id 
| rename "Datamodel_Acceleration.*" as * 
| eval size(MB)=round(size/1048576,1) 
| eval retention(days)=retention/86400 
| eval complete(%)=round(complete*100,1) 
| sort 100 + datamodel 
| fields datamodel,app,cron,retention(days),earliest,latest,is_inprogress,complete(%),size(MB),last_error</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <format type="number" field="retention(days)">
          <option name="precision">0</option>
          <option name="unit">Days</option>
        </format>
        <format type="number" field="size(MB)">
          <option name="unit">MB</option>
        </format>
        <format type="number" field="complete(%)">
          <option name="unit">%</option>
        </format>
      </table>
    </panel>
  </row>
</form>