<form>
  <label>CIS - Index Based (v 1.0)</label>
  <description>CIS Analytics | Corporate Information Security</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="mytime">
      <label>Select a Time Range</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="myindex">
      <label>Select your index</label>
      <fieldForLabel>index</fieldForLabel>
      <fieldForValue>index</fieldForValue>
      <search>
        <query>| tstats count BY index</query>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </search>
      <default>bai</default>
      <initialValue>bai</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title># Number of Sourcetypes</title>
      <single>
        <search>
          <query>| tstats dc(sourcetype) as sourcetype WHERE index=$myindex$ BY index
| table sourcetype</query>
          <earliest>-744h</earliest>
          <latest>-720h</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="linkView">search</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf58f39","0xf7bc38","0x65a637"]</option>
        <option name="rangeValues">[7,9,11]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title># Number of Sources</title>
      <single>
        <search>
          <query>| tstats dc(source) as source WHERE index=$myindex$ BY index
| table source</query>
          <earliest>-744h</earliest>
          <latest>-720h</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="linkView">search</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf58f39","0xf7bc38","0x65a637"]</option>
        <option name="rangeValues">[7,9,11]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title># Host reporting (last 24 hrs)</title>
      <single>
        <search>
          <query>| tstats dc(host) WHERE index=$myindex$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="linkView">search</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf58f39","0xf7bc38","0x65a637"]</option>
        <option name="rangeValues">[7,9,11]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title># Host reporting (24 hrs ago)</title>
      <single>
        <search>
          <query>| tstats dc(host) WHERE index=$myindex$</query>
          <earliest>-48h</earliest>
          <latest>-24h</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="linkView">search</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf58f39","0xf7bc38","0x65a637"]</option>
        <option name="rangeValues">[7,9,11]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title># Host reporting (7 days ago)</title>
      <single>
        <search>
          <query>| tstats dc(host) WHERE index=$myindex$</query>
          <earliest>-192h</earliest>
          <latest>-168h</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="linkView">search</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf58f39","0xf7bc38","0x65a637"]</option>
        <option name="rangeValues">[7,9,11]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title># Host reporting (30 days ago)</title>
      <single>
        <search>
          <query>| tstats dc(host) WHERE index=$myindex$</query>
          <earliest>-744h</earliest>
          <latest>-720h</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="linkView">search</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf58f39","0xf7bc38","0x65a637"]</option>
        <option name="rangeValues">[7,9,11]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Volume Change (Variation from Expected - Manually added) - for $myindex$ index</title>
      <chart>
        <search>
          <query>index=$myindex$ | timechart span=1m count | predict count As Expected algorithm=LL upper95=high lower95=low | eval LowLimit=0.9*'low(Expected)' | eval HighLimit=1.1*'high(Expected)'</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Event reporting to Splunk for $myindex$ index By host - (limit of 20)</title>
      <chart>
        <search>
          <query>index=$myindex$ host !=*-20* | timechart count by host useother=f limit=20</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_self">/app/cisa_sh_moswos/investigate_node?form.mynode=$click.name2$</link>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Hostnames reporting data to $myindex$ index</title>
      <table>
        <search>
          <query>| tstats latest(_time) AS ps1 count AS ps2 WHERE host !=*-20* index=$myindex$ BY host | eval ps4=now() | eval ps5= round((ps4-ps1)/60,2) | convert ctime(ps4)  | convert ctime(ps1)  | table host ps2 ps1 ps4 ps5 | sort - ps5 | rename ps1 as "Latest Event Time", ps2 as "N# Of Events (Last 24 Hrs)", ps4 as "Current Time", ps5 as "No Data For (Minutes)"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_self">/app/cisa_sh_moswos/investigate_node?form.mynode=$row.host$</link>
        </drilldown>
      </table>
    </panel>
    <panel>
      <title>Data retention for $myindex$ index</title>
      <table>
        <search>
          <query>|inputlookup avail_indexes.csv | search Index=$myindex$</query>
          <earliest>-45d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <format type="number" field="retention">
          <option name="precision">0</option>
          <option name="unit">Days</option>
        </format>
        <drilldown>
          <link target="_self">/app/cisa_sh_moswos/investigate_sourcetype?form.myindex=$row.Index$&amp;form.mysourcetype=$row.sourcetype$</link>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Sources and sourcetypes for $myindex$</title>
      <table>
        <search>
          <query>| tstats values(sourcetype) as sourcetype, values(host) as host WHERE index=$myindex$ BY source</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="count">5</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>