Reply

ADP Events by Source IP with drilldown (using lookup table)

Adviser
Posts: 136
2069     0

This report contains information about ADP events split by IP. It allows to navigate to "ADP Events by Rule" and drilldown to the same report with different IP/Rule parameters.
This report doesn't contain rule name/severity information because my 7.3EA Grid doesn't include any PT-appliance and a lookup table is missing. The lookup table "atp_rule_sid_lookup.csv" is automatically generated from ADP rules. In the next post I created the same report using a workaround. 

 

Report ID: pvm_adp_rules_hits_by_client

<form>
  <label>1_ADP Rules Hits by Clients</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time" searchWhenChanged="true">
      <label>Period</label>
      <default>
        <earliest>-30d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="Client">
      <default>*</default>
    </input>
    <input type="text" token="RuleID">
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=ib_security source="ib:ddos:ip_rule_stats" SOURCE_IP="$Client$" RULE_SID="$RuleID$" | stats sum(ACTIVE_COUNT) as Qty by SOURCE_IP, RULE_SID |lookup atp_rule_sid_lookup RULE_SID OUTPUTNEW RULE_SID as SID,  DNST_CATEGORY as CATEGORY, RULE_DESCRIPTION as DESCRIPTION, RULE_NAME as NAME | sort Qty desc</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <drilldown>
          <condition field="MESSAGE">
            <link target="_blank">/app/infoblox/pvm_adp_rules_hits_by_client?form.RuleID=$row.RULE_SID$&amp;form.time.earliest=$time.earliest$&amp;form.time.latest=$time.latest$&amp;form.time=$time$</link>
          </condition>
          <condition field="SOURCE_IP">
            <link target="_blank">/app/infoblox/pvm_adp_rules_hits_by_client?form.Client=$row.SOURCE_IP$&amp;form.time.earliest=$time.earliest$&amp;form.time.latest=$time.latest$&amp;form.time=$time$</link>
          </condition>
          <condition field="CATEGORY">
            <link target="_blank">/app/infoblox/pvm_adp_rules?form.Category=$row.CATEGORY$&amp;form.time.earliest=$time.earliest$&amp;form.time.latest=$time.latest$&amp;form.time=$time$</link>
          </condition>
        </drilldown>
        <option name="fields">SOURCE_IP,SID,NAME,DESCRIPTION,SEVERITY,Qty</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
        <fields>["SOURCE_IP","RULE_SID","NAME","DESCRIPTION","SEVERITY","Qty"]</fields>
      </table>
    </panel>
  </row>
</form>
Showing results for 
Search instead for 
Do you mean 

Recommended for You