Merge pull request #4 from ZachChristensen28/development

Version 1.1.1

README.md

@@ -2,24 +2,23 @@
 
 ![GitHub](https://img.shields.io/github/license/ZachChristensen28/Opnsense_App_for_Splunk)
 [![Documentation Status](https://readthedocs.org/projects/splunk-opnsense-app-documentation/badge/?version=latest)](https://splunk-opnsense-app-documentation.readthedocs.io/en/latest/?badge=latest)
+![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/ZachChristensen28/Opnsense_App_for_Splunk)
+[![Splunkbase App](https://img.shields.io/badge/Splunkbase-Opnsense%20App%20for%20Splunk-blue)](https://splunkbase.splunk.com/app/5372/)
+[![Splunk CIM Version](https://img.shields.io/badge/Splunk%20CIM%20Version-4.x-success)](https://docs.splunk.com/Documentation/CIM/latest/User/Overview)
 
 The OPNsense App for Splunk helps make your firewall data meaningful. Visualize system or security related events recorded by the [OPNsense® Firewall](https://opnsense.org/). This app requires the [OPNsense Add-on for Splunk](https://splunkbase.splunk.com/app/4538/).
 
  Info | Description
 ------|----------
-Version | 1.1.0 - See on [Splunkbase](https://splunkbase.splunk.com/app/5372/)
+Version | 1.1.1 - See on [Splunkbase](https://splunkbase.splunk.com/app/5372/)
 Vendor Product Version | [OPNsense® 20.7](https://opnsense.org/)
 APP has a web UI | Yes, this app contains views.
 
 ```TEXT
-Version 1.1.0
+Version 1.1.1
 
-New
-- Added System Dashboard. This is powered by the modular input from the Add-on.
-- Added host filters on all dashboards.
-
-Updated
-- IDS Overview dashboard to include the time of latest intrusion event.
+- Added version to dashboards to support jQuery v3.5.
+- Converted License Overview panel on Data overview dashboard to be schedule report.
 ```
 
 ## Documentation

app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "Opnsense_App_for_Splunk",
-      "version": "1.1.0"
+      "version": "1.1.1"
     },
     "author": [
       {
@@ -58,4 +58,4 @@
   "targetWorkloads": [
     "_search_heads"
   ]
-}
+}

default/app.conf

@@ -12,7 +12,7 @@ label = OPNsense App for Splunk
 [launcher]
 author = Zach Christensen
 description = Provides visualizations for the OPNsense Firewall.
-version = 1.1.0
+version = 1.1.1
 
 [package]
-id = Opnsense_App_for_Splunk
+id = Opnsense_App_for_Splunk

default/data/ui/views/opnsense_auth_overview.xml

@@ -1,4 +1,4 @@
-<form>
+<form version="1.1">
     <label>Authentication Overview</label>
     <search id="base">
         <query>| `opnsense_tstats` count from datamodel=Authentication.Authentication where sourcetype=opnsense:* $host_tok$ by _time, Authentication.src, Authentication.user, Authentication.action, Authentication.app span=5m
@@ -173,4 +173,4 @@
             </table>
         </panel>
     </row>
-</form>
+</form>

default/data/ui/views/opnsense_data_overview.xml

@@ -1,4 +1,4 @@
-<form>
+<form version="1.1">
   <label>Data Overview</label>
   <search id="base">
     <query>| tstats count, sum(opnsense_event_length) as bytes where index=* sourcetype=opnsense* $host_tok$ by _time, index, sourcetype span=5m</query>
@@ -53,7 +53,10 @@
     <panel>
       <html>
         <p>
-          <strong>Note: </strong> TA-opnsense is either missing or does not meet the version requirements. Please update to the latest version of <a target="_blank" href="https://splunkbase.splunk.com/app/4538/">TA-opnsense</a>.
+          <strong>Note:</strong>
+          TA-opnsense is either missing or does not meet the version requirements. Please update to the latest version of
+          <a target="_blank" href="https://splunkbase.splunk.com/app/4538/">TA-opnsense</a>
+          .
         </p>
       </html>
     </panel>
@@ -102,48 +105,12 @@
       <title>License Usage Overview</title>
       <chart>
         <title>Last 30 Day Average</title>
-        <search>
-          <query>| tstats sum(opnsense_event_length) as license_usage where index=* sourcetype=opnsense* $host_tok$ _index_earliest=-30d@d _index_latest=-1d@d by _time, sourcetype span=1d@d
-| chart avg(license_usage) as average_license_usage by sourcetype
-| sort -average_license_usage
-| rename average_license_usage as "Average License Usage/Day (bytes)", sourcetype as Sourcetype</query>
-          <earliest>-30d@d</earliest>
-          <latest>now</latest>
-          <sampleRatio>1</sampleRatio>
-        </search>
-        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
-        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
-        <option name="charting.axisTitleX.visibility">visible</option>
-        <option name="charting.axisTitleY.visibility">visible</option>
-        <option name="charting.axisTitleY2.visibility">visible</option>
-        <option name="charting.axisX.abbreviation">none</option>
-        <option name="charting.axisX.scale">linear</option>
+        <search ref="OPNsense - License Usage Overview"></search>
         <option name="charting.axisY.abbreviation">auto</option>
         <option name="charting.axisY.scale">linear</option>
-        <option name="charting.axisY2.abbreviation">none</option>
-        <option name="charting.axisY2.enabled">0</option>
-        <option name="charting.axisY2.scale">inherit</option>
         <option name="charting.chart">bar</option>
-        <option name="charting.chart.bubbleMaximumSize">50</option>
-        <option name="charting.chart.bubbleMinimumSize">10</option>
-        <option name="charting.chart.bubbleSizeBy">area</option>
-        <option name="charting.chart.nullValueMode">gaps</option>
-        <option name="charting.chart.showDataLabels">none</option>
-        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
-        <option name="charting.chart.stackMode">default</option>
-        <option name="charting.chart.style">shiny</option>
         <option name="charting.drilldown">none</option>
-        <option name="charting.layout.splitSeries">0</option>
-        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
-        <option name="charting.legend.labelStyle.overflowMode">ellipsisStart</option>
-        <option name="charting.legend.mode">standard</option>
-        <option name="charting.legend.placement">none</option>
-        <option name="charting.lineWidth">2</option>
         <option name="charting.seriesColors">[0xF2790D]</option>
-        <option name="refresh.display">progressbar</option>
-        <option name="trellis.enabled">0</option>
-        <option name="trellis.scales.shared">1</option>
-        <option name="trellis.size">medium</option>
       </chart>
     </panel>
   </row>
@@ -152,7 +119,7 @@
       <title>Data Inventory Details</title>
       <table>
         <search base="base">
-          <query>| stats sparkline(sum(count), 5m) as Sparkline, sum(count) as total, sum(bytes) as total_bytes by sourcetype, index 
+          <query>| stats sparkline(sum(count), 5m) as Sparkline, sum(count) as total, sum(bytes) as total_bytes by sourcetype, index
 | sort - total
 | eval kb=round(total_bytes/1024,2)
 | eval mb=round(total_bytes/1024/1024,2)

default/data/ui/views/opnsense_ids_overview.xml

@@ -1,4 +1,4 @@
-<form>
+<form version="1.1">
     <label>IDS Overview</label>
     <search id="base">
         <query>| `opnsense_tstats` count from datamodel=Intrusion_Detection.IDS_Attacks where sourcetype=opnsense:* $host_tok$ by _time, IDS_Attacks.src, IDS_Attacks.dest, IDS_Attacks.signature, IDS_Attacks.category, IDS_Attacks.severity span=5m
@@ -142,4 +142,4 @@
             </table>
         </panel>
     </row>
-</form>
+</form>

default/data/ui/views/opnsense_system_overview.xml

@@ -1,4 +1,4 @@
-<form hideFilters="True">
+<form hideFilters="True" version="1.1">
     <label>System Overview</label>
     <search id="picker">
         <query>| tstats count where `opnsense_system_index` sourcetype=opnsense:system by host</query>
@@ -32,11 +32,11 @@
         </progress>
     </search>
     <search id="system_base">
-        <query>`opnsense_system_index` sourcetype=opnsense:system collection_type=system 
-| eval update_msg=if(status=="update", "Update Available", "Up to Date") 
-| eval can_update=if(update_msg="Update Available", 2, 1) 
-| eval new_version=if(can_update==2, 'all_packages.opnsense.new', "n/a") 
-| eval reboot_msg=if(upgrade_needs_reboot=="1", "Reboot Required", "Reboot Not Required") 
+        <query>`opnsense_system_index` sourcetype=opnsense:system collection_type=system
+| eval update_msg=if(status=="update", "Update Available", "Up to Date")
+| eval can_update=if(update_msg="Update Available", 2, 1)
+| eval new_version=if(can_update==2, 'all_packages.opnsense.new', "n/a")
+| eval reboot_msg=if(upgrade_needs_reboot=="1", "Reboot Required", "Reboot Not Required")
 | stats latest(product_version) as product_version, latest(new_version) as new_version, latest(status_msg) as status_msg, max(_time) as last_check, latest(os_version) as os_version, latest(update_msg) as update_msg, latest(can_update) as can_update, latest(reboot_msg) as reboot_msg, latest(upgrade_needs_reboot) as upgrade_needs_reboot $by_host$</query>
         <earliest>$global_time_tok.earliest$</earliest>
         <latest>$global_time_tok.latest$</latest>
@@ -245,4 +245,4 @@
             </table>
         </panel>
     </row>
-</form>
+</form>

default/data/ui/views/opnsense_traffic_overview.xml

@@ -1,4 +1,4 @@
-<form>
+<form version="1.1">
     <label>Traffic Overview</label>
     <search id="base">
         <query>| `opnsense_tstats` count from datamodel=Network_Traffic.All_Traffic where sourcetype=opnsense:* $host_tok$ by _time, All_Traffic.src, All_Traffic.dest, All_Traffic.transport, All_Traffic.action span=5m
@@ -8,7 +8,7 @@
         <sampleRatio>1</sampleRatio>
     </search>
     <search id="base_detail">
-        <query>| tstats `opnsense_summariesonly` count from datamodel=Network_Traffic.All_Traffic where sourcetype=opnsense:* $host_tok$ by _time, All_Traffic.src, All_Traffic.dest span=5m 
+        <query>| tstats `opnsense_summariesonly` count from datamodel=Network_Traffic.All_Traffic where sourcetype=opnsense:* $host_tok$ by _time, All_Traffic.src, All_Traffic.dest span=5m
 | rename All_Traffic.* as *</query>
         <earliest>$global_time_tok.earliest$</earliest>
         <latest>$global_time_tok.latest$</latest>
@@ -276,4 +276,4 @@
             </table>
         </panel>
     </row>
-</form>
+</form>

default/data/ui/views/opnsense_vpn_overview.xml

@@ -1,4 +1,4 @@
-<form>
+<form version="1.1">
     <label>VPN Overview</label>
     <description>Results shown for OpenVPN</description>
     <search id="base">
@@ -131,4 +131,4 @@
             </table>
         </panel>
     </row>
-</form>
+</form>

default/savedsearches.conf

@@ -0,0 +1,19 @@
+[OPNsense - License Usage Overview]
+cron_schedule                                      = 2 3 * * *
+dispatch.earliest_time                             = -31d@d
+dispatch.latest_time                               = @d
+display.general.type                               = visualizations
+display.page.search.mode                           = fast
+display.page.search.tab                            = visualizations
+display.statistics.show                            = 0
+display.visualizations.charting.axisY.abbreviation = auto
+display.visualizations.charting.chart              = bar
+display.visualizations.charting.legend.placement   = none
+enableSched                                        = 1
+schedule_window                                    = auto
+search = | tstats sum(opnsense_event_length) as license_usage where index=* sourcetype=opnsense* _index_earliest=-31d@d _index_latest=@d by _time, sourcetype span=1d@d \
+| chart avg(license_usage) as average_license_usage by sourcetype \
+| eval GB=average_license_usage/1024/1024/1024 \
+| sort -average_license_usage \
+| rename GB as "Average License Usage/Day (GB)", sourcetype as Sourcetype\
+| fields - average_license_usage