From 6714c98655bd022dffad5659373f03c7d2511d23 Mon Sep 17 00:00:00 2001 From: Marc-Antoine Hinse Date: Mon, 9 Dec 2024 14:33:13 -0500 Subject: [PATCH] Saved searches should retrieve the last 24 hours instead of all time --- .../src/main/resources/splunk/default/savedsearches.conf | 8 ++++---- packages/react-components/src/models/constants.ts | 1 + packages/react-components/src/utils/setupConfiguration.ts | 8 +++++++- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/packages/flare/src/main/resources/splunk/default/savedsearches.conf b/packages/flare/src/main/resources/splunk/default/savedsearches.conf index d90ba99..327787e 100644 --- a/packages/flare/src/main/resources/splunk/default/savedsearches.conf +++ b/packages/flare/src/main/resources/splunk/default/savedsearches.conf @@ -1,7 +1,7 @@ [Flare Search] -description = Shows all of the ingested events -search = source="flare" +description = Shows the ingested events from the last 24 hours +search = source="flare index=flare earliest=-24h latest=now" [Severity] -description = Counts the events by severity -search = source=flare index=main | spath path=header.risk.score output=risk_score_str | eval risk_score = coalesce(tonumber(risk_score_str), 0) | eval risk_label = case(risk_score == 1, "Info", risk_score == 2, "Low", risk_score == 3, "Medium", risk_score == 4, "High", risk_score == 5, "Critical") | stats count by risk_label, risk_score | sort risk_score | fields - risk_score +description = Counts the events by severity in the last 24 hours +search = source=flare index=flare earliest=-24h latest=now | spath path=header.risk.score output=risk_score_str | eval risk_score = coalesce(tonumber(risk_score_str), 0) | eval risk_label = case(risk_score == 1, "Info", risk_score == 2, "Low", risk_score == 3, "Medium", risk_score == 4, "High", risk_score == 5, "Critical") | stats count by risk_label, risk_score | sort risk_score | fields - risk_score diff --git a/packages/react-components/src/models/constants.ts b/packages/react-components/src/models/constants.ts index 8ac7701..2dbf291 100644 --- a/packages/react-components/src/models/constants.ts +++ b/packages/react-components/src/models/constants.ts @@ -8,6 +8,7 @@ export const APPLICATION_NAMESPACE: SplunkApplicationNamespace = { sharing: 'app', }; export const FLARE_SAVED_SEARCH_NAME = 'Flare Search'; +export const SEVERITY_SAVED_SEARCH_NAME = 'Severity'; export const KV_COLLECTION_NAME = 'event_ingestion_collection'; export const KV_COLLECTION_KEY = '_key'; export const KV_COLLECTION_VALUE = 'value'; diff --git a/packages/react-components/src/utils/setupConfiguration.ts b/packages/react-components/src/utils/setupConfiguration.ts index 694c9c3..52f4050 100644 --- a/packages/react-components/src/utils/setupConfiguration.ts +++ b/packages/react-components/src/utils/setupConfiguration.ts @@ -6,6 +6,7 @@ import { KV_COLLECTION_NAME, KV_COLLECTION_VALUE, PasswordKeys, + SEVERITY_SAVED_SEARCH_NAME, STORAGE_REALM, } from '../models/constants'; import { Severity, SourceType, SourceTypeCategory, Tenant } from '../models/flare'; @@ -154,7 +155,12 @@ async function saveConfiguration( await updateSavedSearchQuery( service, FLARE_SAVED_SEARCH_NAME, - `source=${APP_NAME} index=${indexName}` + `source=${APP_NAME} index=${indexName} earliest=-24h latest=now` + ); + await updateSavedSearchQuery( + service, + SEVERITY_SAVED_SEARCH_NAME, + `source=${APP_NAME} index=${indexName} earliest=-24h latest=now | spath path=header.risk.score output=risk_score_str | eval risk_score = coalesce(tonumber(risk_score_str), 0) | eval risk_label = case(risk_score == 1, "Info", risk_score == 2, "Low", risk_score == 3, "Medium", risk_score == 4, "High", risk_score == 5, "Critical") | stats count by risk_label, risk_score | sort risk_score | fields - risk_score` ); await completeSetup(service); await reloadApp(service);