<form>
  <label>CIS - Investigate User (v 1.0)</label>
  <description>CIS Analytics | Corporate Information Security</description>
  <fieldset submitButton="true">
    <input type="time" token="MyTime">
      <label>Time</label>
      <default>
        <earliest>-4h@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="my_user">
      <label>Provide a User ID</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Audit Event Count for user $my_user$</title>
      <chart>
        <search>
          <query>index=_audit  user=$my_user$| timechart count by user</query>
          <earliest>$MyTime.earliest$</earliest>
          <latest>$MyTime.latest$</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| inputlookup savedsearch_runtimes.csv | sort last_time | convert ctime(*_time) | rename first_time AS "First Run Time" last_time AS "Latest Run Time"  | join savedsearch_name type=outer [| rest /servicesNS/-/-/saved/searches | eval State=if(disabled=0,"Enabled","Disabled") | eval Scheduled=if(is_scheduled=1,"Yes","No") | fields title eai:acl.app eai:acl.owner cron_schedule dispatch.earliest_time dispatch.latest_time search State Scheduled | rename title AS savedsearch_name eai:acl.app AS App eai:acl.owner AS User cron_schedule AS "Cron Schedule" dispatch.earliest_time AS "Dispatch Earliest Time" dispatch.latest_time AS "Dispatch Latest Time"] | rename savedsearch_name AS Search | table Search App User "Avg Runtime" "Max Runtime" Scheduled State "First Run Time" "Latest Run Time" "Dispatch Earliest Time" "Dispatch Latest Time" | search Search=** App=* User=* Scheduled=* State=*
| sort - "Avg Runtime"
| search User=$my_user$</query>
          <earliest>-4h@m</earliest>
          <latest>now</latest>
        </search>
        <option name="count">100</option>
        <option name="drilldown">none</option>

      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
 | rename title as user 
 | table user capabilities roles
 | search user=$my_user$</query>
          <earliest>-4h@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>