-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Saved searches should retrieve the last 24 hours instead of all time
- Loading branch information
Marc-Antoine Hinse
committed
Dec 9, 2024
1 parent
8e84972
commit 6714c98
Showing
3 changed files
with
12 additions
and
5 deletions.
There are no files selected for viewing
8 changes: 4 additions & 4 deletions
8
packages/flare/src/main/resources/splunk/default/savedsearches.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
[Flare Search] | ||
description = Shows all of the ingested events | ||
search = source="flare" | ||
description = Shows the ingested events from the last 24 hours | ||
search = source="flare index=flare earliest=-24h latest=now" | ||
|
||
[Severity] | ||
description = Counts the events by severity | ||
search = source=flare index=main | spath path=header.risk.score output=risk_score_str | eval risk_score = coalesce(tonumber(risk_score_str), 0) | eval risk_label = case(risk_score == 1, "Info", risk_score == 2, "Low", risk_score == 3, "Medium", risk_score == 4, "High", risk_score == 5, "Critical") | stats count by risk_label, risk_score | sort risk_score | fields - risk_score | ||
description = Counts the events by severity in the last 24 hours | ||
search = source=flare index=flare earliest=-24h latest=now | spath path=header.risk.score output=risk_score_str | eval risk_score = coalesce(tonumber(risk_score_str), 0) | eval risk_label = case(risk_score == 1, "Info", risk_score == 2, "Low", risk_score == 3, "Medium", risk_score == 4, "High", risk_score == 5, "Critical") | stats count by risk_label, risk_score | sort risk_score | fields - risk_score |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters