diff --git a/packages/flare/src/main/resources/splunk/default/data/ui/nav/default.xml b/packages/flare/src/main/resources/splunk/default/data/ui/nav/default.xml index 537d0c2..a29ade7 100644 --- a/packages/flare/src/main/resources/splunk/default/data/ui/nav/default.xml +++ b/packages/flare/src/main/resources/splunk/default/data/ui/nav/default.xml @@ -1,7 +1,11 @@ diff --git a/packages/flare/src/main/resources/splunk/default/savedsearches.conf b/packages/flare/src/main/resources/splunk/default/savedsearches.conf index f347c0e..d90ba99 100644 --- a/packages/flare/src/main/resources/splunk/default/savedsearches.conf +++ b/packages/flare/src/main/resources/splunk/default/savedsearches.conf @@ -1,3 +1,7 @@ [Flare Search] description = Shows all of the ingested events search = source="flare" + +[Severity] +description = Counts the events by severity +search = source=flare index=main | spath path=header.risk.score output=risk_score_str | eval risk_score = coalesce(tonumber(risk_score_str), 0) | eval risk_label = case(risk_score == 1, "Info", risk_score == 2, "Low", risk_score == 3, "Medium", risk_score == 4, "High", risk_score == 5, "Critical") | stats count by risk_label, risk_score | sort risk_score | fields - risk_score