Logger Dashboard | tstats count where index=* by index, _time span=4h prestats=t | timechart span=4h count by index -7d@h now 1 ellipsisNone 0 visible visible visible none linear none linear none 0 inherit column 50 10 area gaps none 0.01 stacked shiny none 0 0 ellipsisMiddle standard right 2 progressbar 0 1 medium index=suricata | stats values(src_ip) count by alert.signature, alert.signature_id -24h@h now 1 20nonenonefalseprogressbarfalsefalsetrue | tstats count where index=zeek by source, _time span=1h prestats=t | timechart span=1h count by source useother=f -24h@h now column stacked none progressbar | tstats count where index=wineventlog by host, _time span=1h prestats=t | timechart span=1h count by host -24h@h now line none progressbar | tstats count where index=sysmon by host, _time span=1h prestats=t | timechart span=1h count by host -24h@h now line none | tstats count where index=osquery by host, _time span=1h prestats=t | timechart span=1h count by host -24h@h now line none progressbar index=zeek (dest_port=443 OR dest_port=80) dest_ip!=192.168.0.0/16 | rename orig_bytes as bytes_out resp_bytes as bytes_in | stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip | eval beacon_avg=('beacon_count' / 'total_count') | stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out | eval beacon_avg=('beacon_count' / 'total_count') | stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out | eval incount=mvcount(bytes_in) | eventstats avg(beacon_count) as overall_average | eval beacon_percentage=('beacon_count' / 'overall_average') | sort - beacon_percentage | fields - incount,overall_average -24h@h now 20noneprogressbar index=powershell | table _time, host, _raw, sourcetype -24h@h now 1nonefalsetrue | rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "Used"=round(used_bytes/1024/1024/1024, 3) | eval "Quota"=round(quota/1024/1024/1024, 3) | fields Pool "Used" "Quota" 1 ellipsisNone 0 visible visible visible none linear none linear none 0 inherit bar 50 10 area gaps none 0.01 default shiny none 0 0 ellipsisMiddle standard right 2 0 1 medium index=_internal source="*license_usage.log" type=usage idx="*" | eval MB = round(b/1048576,2) | timechart span=1h sum(MB) by idx -24h@h now column stacked none progressbar