Merge pull request #78 from Flared/mahinse/fix_saved_searches

Saved searches should retrieve the last 24 hours instead of all time
Flared · Dec 9, 2024 · 5728ccd · 5728ccd
2 parents 8e84972 + 6714c98
commit 5728ccd
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 5 deletions.
diff --git a/packages/flare/src/main/resources/splunk/default/savedsearches.conf b/packages/flare/src/main/resources/splunk/default/savedsearches.conf
@@ -1,7 +1,7 @@
 [Flare Search]
-description = Shows all of the ingested events
-search = source="flare"
+description = Shows the ingested events from the last 24 hours
+search = source="flare index=flare earliest=-24h latest=now"
 
 [Severity]
-description = Counts the events by severity
-search = source=flare index=main | spath path=header.risk.score output=risk_score_str | eval risk_score = coalesce(tonumber(risk_score_str), 0)  | eval risk_label = case(risk_score == 1, "Info", risk_score == 2, "Low", risk_score == 3, "Medium", risk_score == 4, "High", risk_score == 5, "Critical")  | stats count by risk_label, risk_score | sort risk_score | fields - risk_score
+description = Counts the events by severity in the last 24 hours
+search = source=flare index=flare earliest=-24h latest=now | spath path=header.risk.score output=risk_score_str | eval risk_score = coalesce(tonumber(risk_score_str), 0)  | eval risk_label = case(risk_score == 1, "Info", risk_score == 2, "Low", risk_score == 3, "Medium", risk_score == 4, "High", risk_score == 5, "Critical")  | stats count by risk_label, risk_score | sort risk_score | fields - risk_score
diff --git a/packages/react-components/src/models/constants.ts b/packages/react-components/src/models/constants.ts
@@ -8,6 +8,7 @@ export const APPLICATION_NAMESPACE: SplunkApplicationNamespace = {
     sharing: 'app',
 };
 export const FLARE_SAVED_SEARCH_NAME = 'Flare Search';
+export const SEVERITY_SAVED_SEARCH_NAME = 'Severity';
 export const KV_COLLECTION_NAME = 'event_ingestion_collection';
 export const KV_COLLECTION_KEY = '_key';
 export const KV_COLLECTION_VALUE = 'value';

diff --git a/packages/react-components/src/utils/setupConfiguration.ts b/packages/react-components/src/utils/setupConfiguration.ts
@@ -6,6 +6,7 @@ import {
     KV_COLLECTION_NAME,
     KV_COLLECTION_VALUE,
     PasswordKeys,
+    SEVERITY_SAVED_SEARCH_NAME,
     STORAGE_REALM,
 } from '../models/constants';
 import { Severity, SourceType, SourceTypeCategory, Tenant } from '../models/flare';
@@ -154,7 +155,12 @@ async function saveConfiguration(
     await updateSavedSearchQuery(
         service,
         FLARE_SAVED_SEARCH_NAME,
-        `source=${APP_NAME} index=${indexName}`
+        `source=${APP_NAME} index=${indexName} earliest=-24h latest=now`
+    );
+    await updateSavedSearchQuery(
+        service,
+        SEVERITY_SAVED_SEARCH_NAME,
+        `source=${APP_NAME} index=${indexName} earliest=-24h latest=now | spath path=header.risk.score output=risk_score_str | eval risk_score = coalesce(tonumber(risk_score_str), 0)  | eval risk_label = case(risk_score == 1, "Info", risk_score == 2, "Low", risk_score == 3, "Medium", risk_score == 4, "High", risk_score == 5, "Critical")  | stats count by risk_label, risk_score | sort risk_score | fields - risk_score`
     );
     await completeSetup(service);
     await reloadApp(service);