<form>
  <label>CIS - Saved Searches (v 1.0)</label>
  <description>CIS Analytics | Corporate Information Security</description>
  <fieldset submitButton="false">
    <input type="text" token="search" searchWhenChanged="true">
      <label>Search Name</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="app" searchWhenChanged="true">
      <label>Application Context</label>
      <choice value="*">Any</choice>
      <populatingSearch fieldForLabel="label" fieldForValue="title">| rest /servicesNS/-/-/apps/local | search visible=1 | dedup title | fields title label | sort label</populatingSearch>
      <default>*</default>
    </input>
    <input type="dropdown" token="user" searchWhenChanged="true">
      <label>User</label>
      <choice value="*">Any</choice>
      <choice value="nobody">nobody</choice>
      <populatingSearch earliest="$earliest$" latest="$latest$" fieldForLabel="name" fieldForValue="title">|rest /services/authentication/users splunk_server=local
    |fields title realname | eval name=if(realname="",title,realname) | sort + name</populatingSearch>
      <default>*</default>
    </input>
    <input type="dropdown" token="scheduled" searchWhenChanged="true">
      <label>Scheduled</label>
      <choice value="*">All</choice>
      <choice value="Yes">Yes</choice>
      <choice value="No">No</choice>
      <default>*</default>
    </input>
    <input type="dropdown" token="state">
      <label>State</label>
      <choice value="*">All</choice>
      <choice value="Enabled">Enabled</choice>
      <choice value="Disabled">Disabled</choice>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>| rest /servicesNS/-/-/saved/searches splunk_server=local | eval state=if(disabled=0,"Enabled","Disabled") | eval is_scheduled=if(is_scheduled=1,"Yes","No") | rename title AS savedsearch_name | fields cron_schedule state  is_scheduled savedsearch_name search dispatch.earliest_time dispatch.latest_time | stats count</query>
          <earliest>0</earliest>
        </search>
        <option name="drilldown">none</option>
        <option name="beforeLabel">Total Saved Searches:</option>
        <option name="linkView">search</option>
      </single>
    </panel>
    <panel>
      <single>
        <search>
          <query>| rest /servicesNS/-/-/saved/searches splunk_server=local | eval state=if(disabled=0,"Enabled","Disabled") | eval is_scheduled=if(is_scheduled=1,"Yes","No") | rename title AS savedsearch_name | fields cron_schedule state  is_scheduled savedsearch_name search dispatch.earliest_time dispatch.latest_time | search state=Enabled is_scheduled=Yes| stats count</query>
          <earliest>0</earliest>
        </search>
        <option name="beforeLabel">Enabled and Scheduled:</option>
        <option name="drilldown">none</option>
        <option name="linkView">search</option>
        <option name="useColors">0</option>
      </single>
    </panel>
    <panel>
      <single>
        <search>
          <query>| rest /servicesNS/-/-/saved/searches splunk_server=local | eval state=if(disabled=0,"Enabled","Disabled") | eval is_scheduled=if(is_scheduled=1,"Yes","No") | rename title AS savedsearch_name | fields cron_schedule state  is_scheduled savedsearch_name search dispatch.earliest_time dispatch.latest_time | search state=Enabled is_scheduled=No | stats count</query>
          <earliest>0</earliest>
        </search>
        <option name="drilldown">none</option>
        <option name="beforeLabel">Not Scheduled but Enabled:</option>
        <option name="linkView">search</option>
      </single>
    </panel>
    <panel>
      <single>
        <search>
          <query>| rest /servicesNS/-/-/saved/searches splunk_server=local | eval state=if(disabled=0,"Enabled","Disabled") | eval is_scheduled=if(is_scheduled=1,"Yes","No") | rename title AS savedsearch_name | fields cron_schedule state  is_scheduled savedsearch_name search dispatch.earliest_time dispatch.latest_time | search state=Disabled | stats count</query>
          <earliest>0</earliest>
        </search>
        <option name="drilldown">none</option>
        <option name="beforeLabel">Disabled Searches:</option>
        <option name="linkView">search</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Search Status by Application</title>
      <chart>
        <search>
          <query>| rest /servicesNS/-/-/saved/searches splunk_server=local | eval state=if(disabled=0,"Enabled","Disabled") | eval is_scheduled=if(is_scheduled=1,"Yes","No") | rename title AS savedsearch_name | fields cron_schedule state  is_scheduled savedsearch_name search dispatch.earliest_time dispatch.latest_time eai:acl.app | rename eai:acl.app as app | eval status="State: ".state." / Scheduled: ".is_scheduled | chart count over app by status</query>
          <earliest>0</earliest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.text">App Context</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
        <option name="charting.legend.placement">bottom</option>
      </chart>
    </panel>
    <panel>
      <title>Saved Searches by User</title>
      <chart>
        <search>
          <query>| rest /servicesNS/-/-/saved/searches splunk_server=local | eval state=if(disabled=0,"Enabled","Disabled") | eval is_scheduled=if(is_scheduled=1,"Yes","No") | rename title AS savedsearch_name | fields cron_schedule state  is_scheduled savedsearch_name search dispatch.earliest_time dispatch.latest_time eai:acl.app eai:acl.owner | rename eai:acl.owner AS title | join title type=outer [|rest /services/authentication/users splunk_server=local     |fields title realname | eval user=if(realname="",title,realname)] | eval user=case(title="nobody","Default App User",isnotnull(title) AND isnull(user),"CISA can't find user",1=1, user) | chart count by user</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Saved Search Execution Details</title>
      <table>
        <search>
          <query>| inputlookup savedsearch_runtimes.csv | sort last_time | convert ctime(*_time) | rename first_time AS "First Run Time" last_time AS "Latest Run Time"  | join savedsearch_name type=outer [| rest /servicesNS/-/-/saved/searches | eval State=if(disabled=0,"Enabled","Disabled") | eval Scheduled=if(is_scheduled=1,"Yes","No") | fields title eai:acl.app eai:acl.owner cron_schedule dispatch.earliest_time dispatch.latest_time search State Scheduled | rename title AS savedsearch_name eai:acl.app AS App eai:acl.owner AS User cron_schedule AS "Cron Schedule" dispatch.earliest_time AS "Dispatch Earliest Time" dispatch.latest_time AS "Dispatch Latest Time"] | rename savedsearch_name AS Search | table Search App User "Avg Runtime" "Max Runtime" Scheduled State "First Run Time" "Latest Run Time" "Dispatch Earliest Time" "Dispatch Latest Time" | search Search=$search$* App=$app$ User=$user$ Scheduled=$scheduled$ State=$state$
| sort - "Avg Runtime"</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <format type="number" field="Avg Runtime">
          <option name="precision">1</option>
          <option name="unit">Secs</option>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Watchlist searches --</title>
      <table>
        <search>
          <query>| rest /servicesNS/-/-/saved/searches splunk_server=local | search NOT [|inputlookup savedsearch_runtimes.csv | rename savedsearch_name AS title | fields title] | eval
State=if(disabled=0,"Enabled","Disabled") | eval
Scheduled=if(is_scheduled=1,"Yes","No") | fields title eai:acl.app eai:acl.owner cron_schedule dispatch.earliest_time dispatch.latest_time search State Scheduled | rename title AS
savedsearch_name eai:acl.app AS App eai:acl.owner AS User cron_schedule AS "Cron Schedule" dispatch.earliest_time AS "Dispatch Earliest Time" dispatch.latest_time AS "Dispatch Latest Time"</query>
          <earliest>0</earliest>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>