<form>
  <label>CIS - Overview (v 1.0)</label>
  <description>CIS Analytics | Corporate Information Security</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="mytime">
      <label>Select a Time Range</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Volume (GB) Observed on license log</title>
      <single>
        <search>
          <query>index=_internal source=*license_usage.log* type=Usage | eval GB=round(b/1024/1024/1024, 4) | timechart span=30m sum(GB) AS "Total Volume (GB) "</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="afterLabel">GB</option>
        <option name="beforeLabel">Total of</option>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="linkView">search</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0x6db7c6","0x65a637","0x6db7c6","0xf7bc38","0xd93f3c"]</option>
        <option name="rangeValues">[3,10,1000,1250,2500]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">percent</option>
        <option name="trendInterval">-30m</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title># of Indexers observed (30m span)</title>
      <single>
        <search>
          <query>| tstats count where index=_internal (host=prd-ssplappi* OR host=drs-ssplappi*) by _time host|  timechart span=30m dc(host)</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="linkView">search</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf58f39","0xf7bc38","0x6db7c6","0x65a637"]</option>
        <option name="rangeValues">[60,78,88,92]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-30m</option>
        <option name="underLabel">out of 95</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title># of ES Search Heads observed</title>
      <single>
        <search>
          <query>| tstats count where index=_internal host=prd-ssplapph1* OR host=prd-ssplapph2* OR host=prd-ssplapph3* by _time host| timechart span=30m dc(host)</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="linkView">search</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf7bc38","0x65a637"]</option>
        <option name="rangeValues">[1,2]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-30m</option>
        <option name="underLabel">out of 3</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title># of Core Search Heads observed</title>
      <single>
        <search>
          <query>| tstats count where index=_internal host=prd-ssplapph4* OR host=prd-ssplapph5* OR host=prd-ssplapph6* OR host=prd-ssplapph7* OR host=prd-ssplapph8* OR host=drs-ssplapph5* OR host=drs-ssplapph6* OR host=drs-ssplapph7* OR host=drs-ssplapph4* by _time host| timechart span=30m dc(host)</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="linkView">search</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0xf58f39","0xf7bc38","0x6db7c6","0x65a637"]</option>
        <option name="rangeValues">[1,2,4,7]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-30m</option>
        <option name="underLabel">out of 9</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events comming into splunk by index (for the time period selected above)</title>
      <chart>
        <search>
          <query>| tstats count WHERE index=* by index</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">1</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_self">/app/cisa_sh_moswos/index_based?form.myindex=$row.index$</link>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Active users</title>
      <table>
        <search>
          <query>index=_audit  NOT user="n/a" NOT user="splunk-system-user" NOT "scheduler__nobody__search" | stats max(timestamp) as "Last Time Active" count by user | sort - count</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="count">5</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">/app/cisa_sh_moswos/investigate_user?form.my_user=$row.user$</link>
        </drilldown>
      </table>
    </panel>
    <panel>
      <title>Splunk Forwarders reporting status</title>
      <table>
        <search>
          <query>index=_internal source=*metrics.log group=tcpin_connections      hostname=*splapp*  hostname !=prd-ssplapph* hostname !=drs-ssplapph* | stats avg(tcp_KBps) as AVG_tcp_KBps sum(tcp_eps) as SUM_tcp_eps sum(tcp_Kprocessed) as SUM_kp sum(kb) as SUM_kb latest(_time) as lastTalked by hostname os version arch sourceIp       | eval age=now()-lastTalked        | eval status=if(age&gt;3600,"Down for over an hour!",(if(age&lt;1800,"UP","DOWN")))        | eval age=strftime(age,"%M:%S")   | eval since=strftime(lastTalked ,"%m-%d-%y @  %H:%M:%S")  | table hostname sourceIp status since AVG_tcp_KBps os version arch  | rename hostname as host, sourceIp as "IP Address", status as "System Status ",  version as "Software Version", os as "Operating System", arch as "System Architecture", AVG_tcp_KBps as "AVG rate (KBps)", SUM_kb as "Data received" | sort + since</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="count">3</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <format type="number" field="Average Data Tranfer rate (KBps)">
          <option name="precision">1</option>
        </format>
        <format type="number" field="AVG rate (KBps)">
          <option name="precision">1</option>
        </format>
        <drilldown>
          <link target="_self">/app/cisa_sh_moswos/investigate_node?form.mynode=$row.host$</link>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Daily Volume By Index (GB)  -   Over 30 days</title>
      <chart>
        <search>
          <query>| inputlookup cisa_30_days_lic.csv</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="height">306</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_self">/app/cisa_sh_moswos/index_based?form.myindex=$click.name2$</link>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Core Servers - CPU Usage</title>
      <chart>
        <search>
          <query>index=_introspection sourcetype=splunk_resource_usage | timechart span=5M avg(data.pct_cpu) by host limit=40 useother=f</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">left</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_self">/app/cisa_sh_moswos/investigate_node?form.mynode=$click.name2$</link>
        </drilldown>
      </chart>
    </panel>
    <panel>
      <title>Core Systems Memory (% Used)</title>
      <chart>
        <search>
          <query>index=_introspection sourcetype=splunk_resource_usage | timechart span=5M avg(data.pct_memory) by host limit=40 useother=f</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">left</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_self">/app/cisa_sh_moswos/investigate_node?form.mynode=$click.name2$</link>
        </drilldown>
      </chart>
    </panel>
  </row>
</form>