Splunk Sample Template
  • 18 Oct 2020
  • 6 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Splunk Sample Template

  • Print
  • Share
  • Dark
    Light

Sample Splunk Template

<form>
    <label>Secure Circle Global Statistics</label>
    <fieldset submitButton="false" autoRun="true">
        <input type="time" token="SC_TimeRange">
            <label>Time Range</label>
            <default>
                <earliest>-24h@h</earliest>
                <latest>now</latest>
            </default>
        </input>
        <input type="dropdown" token="hostname" searchWhenChanged="true">
            <label>Server</label>
            <choice value="replace.me.com">replace.me.com</choice>
            <default>replace.me.com</default>
        </input>
    </fieldset>
    <row>
        <panel>
            <title>Secured files count growth</title>
            <chart>
                <search>
                    <query>(hostname="$hostname$") (POST_/v3/files/get AND mode="createFromEnvelope") NOT error | stats count as countOverTime by _time | accum countOverTime as accumulation | timechart last(accumulation) as "secured files"</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
                <option name="charting.axisTitleX.text">Time period</option>
                <option name="charting.axisTitleX.visibility">visible</option>
                <option name="charting.axisTitleY.text">Secured files</option>
                <option name="charting.axisTitleY.visibility">visible</option>
                <option name="charting.axisTitleY2.visibility">visible</option>
                <option name="charting.axisY.abbreviation">none</option>
                <option name="charting.axisY.scale">linear</option>
                <option name="charting.axisY2.enabled">0</option>
                <option name="charting.chart">line</option>
                <option name="charting.chart.nullValueMode">connect</option>
                <option name="charting.chart.showDataLabels">minmax</option>
                <option name="charting.drilldown">none</option>
                <option name="charting.layout.splitSeries">0</option>
                <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
                <option name="charting.legend.mode">standard</option>
                <option name="charting.legend.placement">top</option>
                <option name="trellis.enabled">0</option>
                <option name="trellis.scales.shared">0</option>
                <option name="trellis.size">small</option>
            </chart>
        </panel>
        <panel>
            <title>Unique endpoints count growth</title>
            <chart>
                <search>
                    <query>(hostname="$hostname$") endpointId NOT error | dedup endpointId | stats count as countOverTime by _time | accum countOverTime as accumulation | timechart last(accumulation) as "active endpoints"</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
                <option name="charting.axisTitleX.text">Time period</option>
                <option name="charting.axisTitleX.visibility">visible</option>
                <option name="charting.axisTitleY.text">Unique endpoints</option>
                <option name="charting.axisTitleY.visibility">visible</option>
                <option name="charting.axisTitleY2.visibility">visible</option>
                <option name="charting.axisY.abbreviation">none</option>
                <option name="charting.axisY.scale">linear</option>
                <option name="charting.axisY2.enabled">0</option>
                <option name="charting.chart">line</option>
                <option name="charting.chart.nullValueMode">connect</option>
                <option name="charting.chart.showDataLabels">minmax</option>
                <option name="charting.drilldown">none</option>
                <option name="charting.layout.splitSeries">0</option>
                <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
                <option name="charting.legend.mode">standard</option>
                <option name="charting.legend.placement">top</option>
                <option name="trellis.enabled">0</option>
                <option name="trellis.scales.shared">0</option>
                <option name="trellis.size">small</option>
            </chart>
        </panel>
        <panel>
            <title>Unique users count growth</title>
            <chart>
                <search>
                    <query>(hostname="$hostname$") userId NOT error | dedup userId | stats count as countOverTime by _time | accum countOverTime as accumulation | timechart last(accumulation) as "active users"</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
                <option name="charting.axisTitleX.text">Time period</option>
                <option name="charting.axisTitleX.visibility">visible</option>
                <option name="charting.axisTitleY.text">Unique endpoints</option>
                <option name="charting.axisTitleY.visibility">visible</option>
                <option name="charting.axisTitleY2.visibility">visible</option>
                <option name="charting.axisY.abbreviation">none</option>
                <option name="charting.axisY.scale">linear</option>
                <option name="charting.axisY2.enabled">0</option>
                <option name="charting.chart">line</option>
                <option name="charting.chart.nullValueMode">connect</option>
                <option name="charting.chart.showDataLabels">minmax</option>
                <option name="charting.drilldown">none</option>
                <option name="charting.layout.splitSeries">0</option>
                <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
                <option name="charting.legend.mode">standard</option>
                <option name="charting.legend.placement">top</option>
                <option name="trellis.enabled">0</option>
                <option name="trellis.scales.shared">0</option>
                <option name="trellis.size">small</option>
            </chart>
        </panel>
    </row>
    <row>
        <panel>
            <title>Activity in circles</title>
            <chart>
                <search>
                    <query>(hostname="$hostname$") circleName | timechart count by circleName</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <!--drilldown>
                  <link target="_blank">/app/search/specific_circle_statistics?circleIdActive=$click.name2</link>
                </drilldown-->
                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
                <option name="charting.axisTitleX.text">Time interval</option>
                <option name="charting.axisTitleX.visibility">visible</option>
                <option name="charting.axisTitleY.text">Requests to server</option>
                <option name="charting.axisTitleY.visibility">visible</option>
                <option name="charting.axisTitleY2.visibility">visible</option>
                <option name="charting.axisY.abbreviation">none</option>
                <option name="charting.axisY.scale">log</option>
                <option name="charting.axisY2.enabled">0</option>
                <option name="charting.chart">line</option>
                <option name="charting.chart.nullValueMode">connect</option>
                <option name="charting.chart.showDataLabels">none</option>
                <option name="charting.drilldown">none</option>
                <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
                <option name="charting.legend.mode">standard</option>
                <option name="charting.legend.placement">bottom</option>
                <option name="refresh.display">progressbar</option>
                <option name="trellis.enabled">0</option>
                <option name="trellis.scales.shared">0</option>
                <option name="trellis.size">small</option>
            </chart>
        </panel>
    </row>
    <row>
        <panel>
            <title>Whitelisting Files</title>
            <table>
                <title>This table shows count of attempts to whitelist file</title>
                <search>
                    <query>(POST_/v3/fileHashes/add) (hostname="$hostname$")  | eval eventTimestmap=strftime(_time, "%c") | table fileHashName, circleName, userName, endpointName, eventTimestmap | rename fileHashName as "File Name", userName as "Username", endpointName as "Endpoint Name", circleName as "Circle Name", eventTimestmap as "Event Time"</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <option name="count">10</option>
                <option name="percentagesRow">false</option>
                <option name="rowNumbers">true</option>
                <option name="totalsRow">false</option>
            </table>
        </panel>
    </row>
    <row>
        <panel>
            <title>TOP 20 Opened Files</title>
            <chart>
                <title>This chart shows count of attempts to open file by endpoints</title>
                <search>
                    <query>(POST_/v2/files/get OR (POST_/v3/files/get AND (NOT "createFromEnvelope"))) (hostname="$hostname$") fileName | top 20 countfield="times" fileName, fileId | table fileName, times</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <sampleRatio>1</sampleRatio>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
                <option name="charting.axisTitleX.text">File Name</option>
                <option name="charting.axisTitleX.visibility">visible</option>
                <option name="charting.axisTitleY.text">Times Opened From Different Endpoints</option>
                <option name="charting.axisTitleY.visibility">visible</option>
                <option name="charting.axisTitleY2.visibility">visible</option>
                <option name="charting.axisX.scale">linear</option>
                <option name="charting.axisY.scale">log</option>
                <option name="charting.axisY2.enabled">0</option>
                <option name="charting.axisY2.scale">inherit</option>
                <option name="charting.chart">bar</option>
                <option name="charting.chart.bubbleMaximumSize">50</option>
                <option name="charting.chart.bubbleMinimumSize">10</option>
                <option name="charting.chart.bubbleSizeBy">area</option>
                <option name="charting.chart.nullValueMode">gaps</option>
                <option name="charting.chart.showDataLabels">all</option>
                <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
                <option name="charting.chart.stackMode">default</option>
                <option name="charting.chart.style">shiny</option>
                <option name="charting.drilldown">all</option>
                <option name="charting.layout.splitSeries">0</option>
                <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
                <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
                <option name="charting.legend.placement">right</option>
                <option name="height">443</option>
            </chart>
        </panel>
        <panel>
            <title>All Opened Files</title>
            <table>
                <title>This table shows count of attempts to open file by endpoints</title>
                <search>
                    <query>(POST_/v3/files/get AND (NOT "createFromEnvelope")) (hostname="$hostname$") (NOT error) | top 0 fileName, fileId, circleName | rename fileName as "File Name", fileId as "File Id", circleName as "Circle Name", count as "Times Opened", percent as "Percent"</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <option name="count">10</option>
                <option name="dataOverlayMode">heatmap</option>
                <option name="percentagesRow">false</option>
                <option name="rowNumbers">true</option>
                <option name="totalsRow">false</option>
            </table>
        </panel>
    </row>
    <row>
        <panel>
            <title>All Created Files</title>
            <table>
                <title>This table shows count of attempts to create file by endpoints</title>
                <search>
                    <query>(hostname="$hostname$") (POST_/v3/files/get AND mode="createFromEnvelope") (NOT error) | table fileName, userName, endpointName, circleName, countyIsoCode, city, processName, fileId | rename fileName as "File Name", userName as "User Name", endpointName as "Endpoint Name", parentFileCircleName as "Circle Name", countyIsoCode as "Country", city as "City", processName as "Process", fileId as "File Id"</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <option name="count">10</option>
                <option name="percentagesRow">false</option>
                <option name="rowNumbers">true</option>
                <option name="totalsRow">false</option>
            </table>
        </panel>
    </row>
    <row>
        <panel>
            <title>TOP 20 Active Users</title>
            <chart>
                <title>This chart shows count of attempts to open file by users</title>
                <search>
                    <query>(POST_/v3/files/get) (hostname="$hostname$") userName | top 20 countfield="times" userName</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <sampleRatio>1</sampleRatio>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
                <option name="charting.axisTitleX.text">User Name</option>
                <option name="charting.axisTitleX.visibility">visible</option>
                <option name="charting.axisTitleY.text">Files Opened</option>
                <option name="charting.axisTitleY.visibility">visible</option>
                <option name="charting.axisTitleY2.visibility">visible</option>
                <option name="charting.axisX.scale">linear</option>
                <option name="charting.axisY.scale">log</option>
                <option name="charting.axisY2.enabled">0</option>
                <option name="charting.axisY2.scale">inherit</option>
                <option name="charting.chart">bar</option>
                <option name="charting.chart.bubbleMaximumSize">50</option>
                <option name="charting.chart.bubbleMinimumSize">10</option>
                <option name="charting.chart.bubbleSizeBy">area</option>
                <option name="charting.chart.nullValueMode">gaps</option>
                <option name="charting.chart.showDataLabels">all</option>
                <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
                <option name="charting.chart.stackMode">default</option>
                <option name="charting.chart.style">shiny</option>
                <option name="charting.drilldown">all</option>
                <option name="charting.layout.splitSeries">0</option>
                <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
                <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
                <option name="charting.legend.placement">right</option>
                <option name="height">443</option>
            </chart>
        </panel>
        <panel>
            <title>All Active Users</title>
            <table>
                <title>This table shows count of attempts to open file by users</title>
                <search>
                    <query>(POST_/v3/files/get) (hostname="$hostname$") userItemId | top 0 userName, userItemId, userEmail | rename userName as "Name", userItemId as "User Id", userEmail as "Email", count as "Actions", percent as "Percent"</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <option name="count">10</option>
                <option name="dataOverlayMode">heatmap</option>
                <option name="percentagesRow">false</option>
                <option name="rowNumbers">true</option>
                <option name="totalsRow">false</option>
            </table>
        </panel>
    </row>
    <row>
        <panel>
            <title>TOP 20 Active Endpoints</title>
            <chart>
                <title>This chart shows count of attempts to open file from specific endpoints</title>
                <search>
                    <query>(POST_/v3/files/get) (hostname="$hostname$") endpointName | top 20 countfield="times" endpointName</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <sampleRatio>1</sampleRatio>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
                <option name="charting.axisTitleX.text">Endpoint Name</option>
                <option name="charting.axisTitleX.visibility">visible</option>
                <option name="charting.axisTitleY.text">Files Opened</option>
                <option name="charting.axisTitleY.visibility">visible</option>
                <option name="charting.axisTitleY2.visibility">visible</option>
                <option name="charting.axisX.scale">linear</option>
                <option name="charting.axisY.scale">linear</option>
                <option name="charting.axisY2.enabled">0</option>
                <option name="charting.axisY2.scale">inherit</option>
                <option name="charting.chart">bar</option>
                <option name="charting.chart.bubbleMaximumSize">50</option>
                <option name="charting.chart.bubbleMinimumSize">10</option>
                <option name="charting.chart.bubbleSizeBy">area</option>
                <option name="charting.chart.nullValueMode">gaps</option>
                <option name="charting.chart.showDataLabels">all</option>
                <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
                <option name="charting.chart.stackMode">default</option>
                <option name="charting.chart.style">shiny</option>
                <option name="charting.drilldown">all</option>
                <option name="charting.layout.splitSeries">0</option>
                <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
                <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
                <option name="charting.legend.placement">right</option>
                <option name="height">443</option>
            </chart>
        </panel>
        <panel>
            <title>All Active Read Endpoints</title>
            <table>
                <title>This table shows count of attempts to open file by specific endpoints</title>
                <search>
                    <query>(POST_/v3/files/get AND (NOT "createFromEnvelope")) (hostname="$hostname$")  (NOT error) endpointId | top 0 endpointName, endpointId | rename endpointName as "Name", endpointId as "Endpoint Id", count as "Actions", percent as "Percent"</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <option name="count">10</option>
                <option name="dataOverlayMode">heatmap</option>
                <option name="percentagesRow">false</option>
                <option name="rowNumbers">true</option>
                <option name="totalsRow">false</option>
            </table>
        </panel>
    </row>
    <row>
        <panel>
            <title>All Active Contribution Endpoints</title>
            <table>
                <title>This table shows count of attempts to create file by specific endpoints</title>
                <search>
                    <query>(POST_/v3/files/get AND mode="createFromEnvelope") (hostname="$hostname$") (NOT error) endpointId | top 0 endpointName, userName, circleName | rename endpointName as "Name", userName as "UserName", circleName as "Circle Name", count as "Actions", percent as "Percent"</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <option name="count">10</option>
                <option name="dataOverlayMode">heatmap</option>
                <option name="percentagesRow">false</option>
                <option name="rowNumbers">true</option>
                <option name="totalsRow">false</option>
            </table>
        </panel>
    </row>
    <row>
        <panel>
            <title>All Places Where Files Was Opened</title>
            <map>
                <title>Where files was opened</title>
                <search>
                    <!--<query>(hostname="$hostname$") lat != null lng != null clientIp !="1.2.3.4" | geostats latfield=lat longfield=lng count</query>-->
                    <query>(POST_/v3/files/get) (hostname="$hostname$") | iplocation clientIp | geostats count by City</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                </search>
                <option name="height">496</option>
                <option name="mapping.map.scrollZoom">0</option>
                <option name="mapping.type">marker</option>
            </map>
        </panel>
    </row>
    <row>
        <panel>
            <title>TOP 20 Suspicious Endpoints</title>
            <chart>
                <title>This chart shows count of failed attempts to open file from specific endpoints</title>
                <search>
                    <query>(hostname="$hostname$") endpointId error | fillnull value=Unknown | top 20 countfield="times" endpointName</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <latest>$SC_TimeRange.latest$</latest>
                    <sampleRatio>1</sampleRatio>
                    <refresh>30s</refresh>
                    <refreshType>delay</refreshType>
                </search>
                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
                <option name="charting.axisTitleX.text">Suspicious Endpoint Name</option>
                <option name="charting.axisTitleX.visibility">visible</option>
                <option name="charting.axisTitleY.text">Suspicious Actions</option>
                <option name="charting.axisTitleY.visibility">visible</option>
                <option name="charting.axisTitleY2.visibility">visible</option>
                <option name="charting.axisX.scale">linear</option>
                <option name="charting.axisY.scale">linear</option>
                <option name="charting.axisY2.enabled">0</option>
                <option name="charting.axisY2.scale">inherit</option>
                <option name="charting.chart">pie</option>
                <option name="charting.chart.bubbleMaximumSize">50</option>
                <option name="charting.chart.bubbleMinimumSize">10</option>
                <option name="charting.chart.bubbleSizeBy">area</option>
                <option name="charting.chart.nullValueMode">gaps</option>
                <option name="charting.chart.showDataLabels">all</option>
                <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
                <option name="charting.chart.stackMode">default</option>
                <option name="charting.chart.style">shiny</option>
                <option name="charting.drilldown">all</option>
                <option name="charting.layout.splitSeries">0</option>
                <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
                <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
                <option name="charting.legend.placement">right</option>
                <option name="height">443</option>
            </chart>
        </panel>
    </row>
    <row>
        <panel>
            <title>All Suspicious Endpoints</title>
            <table>
                <title>This table shows count of fail attempts to open file by specific endpoints</title>
                <search>
                    <query>(hostname="$hostname$") error | fillnull value=Unknown | top 0 requestSignature, endpointName, endpointId, fileName, circleName, userName, userEmail, city, countyIsoCode, error | rename requestSignature as "Api", endpointName as "Endpoint Name", endpointId as "Endpoint Id", fileName as "File Name", circleName as "Circle Name", userName as "User Name", userEmail as "User Email", city as "City", countyIsoCode as "Country", error as "Error Message", count as "Times", percent as "Percent"</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <refresh>30s</refresh>
                    <latest>$SC_TimeRange.latest$</latest>
                </search>
                <option name="count">10</option>
                <option name="percentagesRow">false</option>
                <option name="rowNumbers">true</option>
                <option name="totalsRow">false</option>
            </table>
        </panel>
    </row>
    <row>
        <panel>
            <title>All Places With Suspicious Activity</title>
            <map>
                <title>Where suspicious activity detected</title>
                <search>
                    <!--<query>(hostname="$hostname$") error clienIp != "1.2.3.4" | geostats latfield=lat longfield=lng count</query>-->
                    <query>(hostname="$hostname$") error | iplocation clientIp | geostats count by City</query>
                    <earliest>$SC_TimeRange.earliest$</earliest>
                    <refresh>30s</refresh>
                    <latest>$SC_TimeRange.latest$</latest>
                </search>
                <option name="height">496</option>
                <option name="mapping.type">marker</option>
            </map>
        </panel>
    </row>
</form>
Was This Article Helpful?