<form theme="light">
  <label>CIS - Investigate Node (v 1.0)</label>
  <description>CIS Analytics | Corporate Information Security</description>
  <fieldset submitButton="true">
    <input type="time" token="mytime">
      <label>Select Time</label>
      <default>
        <earliest>-4h@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="mynode">
      <label>Device Name or part of the name</label>
      <prefix>*</prefix>
      <suffix>*</suffix>
    </input>
  </fieldset>
  <row>
    <panel depends="$mynode$">
      <title>How Much time is splunk spending in each processor?</title>
      <chart>
        <search>
          <query>index=_internal source=*metrics.log* host=$mynode$ group=pipeline | timechart sum(cpu_seconds) by processor limit=20 useother=f</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.chart">line</option>
        <option name="charting.legend.placement">left</option>
        <option name="height">420</option>
      </chart>
    </panel>
    <panel depends="$mynode$">
      <title>Erorrs on the Node</title>
      <event>
        <search>
          <query>index=_internal host=$mynode$ sourcetype=splunkd "get_client" OR tcp* ERROR OR WARN</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="count">5</option>
      </event>
    </panel>
  </row>
  <row>
    <panel depends="$mynode$">
      <table>
        <search>
          <query>(fwdType=* group=tcpin_connections guid=* hostname=$mynode$ index=_internal sourcetype=splunkd (connectionType=cooked OR connectionType=cookedSSL)) 
| eval source_uri=((hostname . ":") . sourcePort), dest_uri=((host . ":") . destPort), connection=((source_uri . "-&gt;") . dest_uri) 
| stats values(fwdType) as fwdType, values(sourceIp) as sourceIp, latest(version) as version, values(os) as os, values(arch) as arch, dc(dest_uri) as dest_count, dc(connection) as connection_count, avg(tcp_KBps) as avg_tcp_kbps, avg(tcp_eps) as avg_tcp_eps by hostname, guid 
| eval avg_tcp_kbps=round(avg_tcp_kbps,2), avg_tcp_eps=round(avg_tcp_eps,2), fwdType=case((fwdType == "full"),"Heavy Forwarder",(fwdType == "uf"),"Universal Forwarder",(fwdType == "lwf"),"Light Forwarder",true(),fwdType) 
| rename arch as Architecture, avg_tcp_eps as "Average Events/s", avg_tcp_kbps as "Average KB/s", connection_count as "Connection Count", dest_count as "Receiver Count", fwdType as "Forwarder Type", guid as GUID, hostname as Instance, os as OS, sourceIp as IP, version as "Splunk Version"</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$mynode$">
      <title>95th percentile of measured queue size</title>
      <chart>
        <search>
          <query>index=_internal source=*metrics.log* host=$mynode$ group=queue | timechart perc95(current_size) by name limit=20 useother=f</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.chart">line</option>
      </chart>
    </panel>
    <panel depends="$mynode$">
      <title>Data and Event flow from Node</title>
      <chart>
        <search>
          <query>(fwdType=* group=tcpin_connections guid=* hostname=$mynode$ index=_internal sourcetype=splunkd (connectionType=cooked OR connectionType=cookedSSL)) 
| timechart minspan=30s avg(eval(tcp_KBps)) as "KB/s", avg(tcp_eps) as "Events/s"</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.overlayFields">KB/s</option>
        <option name="height">246</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel depends="$mynode$">
      <table>
        <search>
          <query>| tstats latest(_time) AS ps1 count AS ps2 WHERE host=$mynode$ BY host index sourcetype source 
| eval ps4=now() | eval ps5= round((ps4-ps1)/60,2) 
| convert ctime(ps4)  
| convert ctime(ps1)  
| table host index sourcetype source ps2 ps1 ps4 ps5 
| rename ps1 as "Latest Event Time", ps2 as "N# Of Events", ps4 as "Current Time", ps5 as "No Data For (Minutes)", host as "Hostname Reporting"</query>
          <earliest>$mytime.earliest$</earliest>
          <latest>$mytime.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_self">/app/cisa_sh_moswos/investigate_sourcetype?form.myindex=$row.index$&amp;form.mysourcetype=$row.sourcetype$</link>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$mynode$">
      <title>CMDB Reference</title>
      <table>
        <search>
          <query>index=es_assets_summary sourcetype="es:assets:cmdb_server" $mynode$ | table * | fields - _raw tag* splunk* punct source timestamp linecount host Name
| stats values(*) AS * by "Host name"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$mynode$">
      <title>APM Reference</title>
      <table>
        <search>
          <query>index=es_assets_summary index=es_assets_summary sourcetype="es:assets:apm"  $mynode$ | table * | fields - _raw tag* splunk* punct
| stats values(*) AS * by HostName</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>