Reply

ADP Events by Source IP with drilldown (using join)

Adviser
Posts: 136
2120     0

This report solves the same task like previous one but use "join" instead of lookup. It is a bit moooore expensive in terms of performance.

Report ID: 1_adp_rules_hits_by_clients_join

<form>
  <label>1_ADP Rules Hits by Clients Join</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time" searchWhenChanged="true">
      <label>Period</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="Client">
      <default>*</default>
    </input>
    <input type="text" token="RuleID">
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=ib_security source="ib:ddos:ip_rule_stats" SOURCE_IP="$Client$" RULE_SID="$RuleID$" | stats sum(ACTIVE_COUNT) as Qty by SOURCE_IP, RULE_SID |rename RULE_SID as SID| join SID [search index=ib_security source="ib:ddos:events" source="ib:ddos:events" | table SID, CATEGORY, MESSAGE, SEVERITY| dedup SID, CATEGORY, MESSAGE, SEVERITY ]</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <drilldown>
          <condition field="MESSAGE">
            <link target="_blank">/app/infoblox/1_adp_rules_hits_by_clients_join?form.RuleID=$row.SID$&amp;form.time.earliest=$time.earliest$&amp;form.time.latest=$time.latest$&amp;form.time=$time$</link>
          </condition>
          <condition field="SOURCE_IP">
            <link target="_blank">/app/infoblox/1_adp_rules_hits_by_clients_join?form.Client=$row.SOURCE_IP$&amp;form.time.earliest=$time.earliest$&amp;form.time.latest=$time.latest$&amp;form.time=$time$</link>
          </condition>
          <condition field="CATEGORY">
            <link target="_blank">/app/infoblox/pvm_adp_rules?form.Category=$row.CATEGORY$&amp;form.time.earliest=$time.earliest$&amp;form.time.latest=$time.latest$&amp;form.time=$time$</link>
          </condition>
        </drilldown>
        <option name="fields">SOURCE_IP,CATEGORY,RULE,SEVERITY,Qty</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
        <fields>["SOURCE_IP","CATEGORY","MESSAGE","SEVERITY","Qty"]</fields>
      </table>
    </panel>
  </row>
</form>

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You