<form>
  <label>CIS - Forwarders Activities (v 1.0)</label>
  <fieldset submitButton="false">
    <input type="time" token="my_time">
      <label>Select a time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="my_fwd">
      <label>Select Forwarder type</label>
      <choice value="*">All Forwarders</choice>
      <choice value="full">Heavy Forwarders</choice>
      <choice value="uf">Universal Forwarders</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="dropdown" token="my_os">
      <label>Select an OS Type</label>
      <choice value="*">All OS types</choice>
      <choice value="Windows">Windows</choice>
      <choice value="Linux">Linux</choice>
      <choice value="AIX">AIX</choice>
      <choice value="SunOS">SunOS</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=*  | stats values(fwdType) as forwarder_type, latest(version) as version, values(arch) as arch, values(os) as os, max(_time) as last_connected, sum(kb) as new_sum_kb, avg(tcp_KBps) as new_avg_tcp_kbps, avg(tcp_eps) as new_avg_tcp_eps by guid, hostname 
| inputlookup append=true sta_forwarder_inventory.csv 
| stats values(forwarder_type) as forwarder_type, max(version) as version, values(arch) as arch, values(os) as os, max(last_connected) as last_connected, values(new_sum_kb) as sum_kb, values(new_avg_tcp_kbps) as avg_tcp_kbps, values(new_avg_tcp_eps) as avg_tcp_eps by guid, hostname 
| addinfo 
| search forwarder_type="$my_fwd$" os="$my_os$" 
| eval status = if(isnull(sum_kb) or (sum_kb &lt;= 0) or (last_connected &lt; (info_max_time - 900)), "missing", "active") 
| eval sum_kb = round(sum_kb, 2) 
| eval avg_tcp_kbps = round(avg_tcp_kbps, 2) 
| eval avg_tcp_eps = round(avg_tcp_eps, 2) 
| fields guid, hostname, forwarder_type, version, arch, os, status, last_connected, sum_kb, avg_tcp_kbps, avg_tcp_eps
| eval last_connected=strftime(last_connected ,"%m-%d-%y @  %H:%M:%S")</query>
          <earliest>$my_time.earliest$</earliest>
          <latest>$my_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_self">/app/cisa_sh_moswos/investigate_node?form.mynode=$row.hostname$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>