Defaults for data sources and visualizations
You can define defaults for data sources and visualizations to set the same option for all relevant dashboard components. Configuring defaults streamlines dashboard management by allowing you to update an option in a single place to populate the update to all desired components rather than modifying the option individually for all components. By configuring a combination of global defaults, defaults specific to a data source or visualization type, and component-level options, you can enjoy simplified dashboard management while maintaining granular control.
For example, consider that your dashboard has 5 pie charts, and you want to configure 4 pie charts to use the same pink background and 1 pie chart to use a transparent background. Instead of configuring the same pink background for 4 charts individually, you can define pink as the default background color for all pie charts on the dashboard. You can then configure the transparent background for the remaining chart as a chart-level setting to override the default.
To configure defaults for data sources and visualizations, you must use the source code editor to edit the defaults stanza.
defaults stanza
defaults is a top-level stanza in the dashboard definition. The defaults stanza may contain the following sub-stanzas:
-
dataSources
-
visualizations
-
tokens
This topic only discusses configuring defaults for data sources and visualizations. For configuring token defaults, see Defaults for tokens.
In the dataSources and visualizations sub-stanzas, you can set default options for the relevant dashboard components at the following levels:
You can define a default value for any option that a data source or visualization supports in the defaults stanza.
| Level | Description |
|---|---|
| global |
Options set at the global level apply to all data sources or visualizations in the dashboard, unless overriden by a component type default or component-level setting. For example, if you configure a global default refresh rate of 5 minutes for all data sources, this applies to all data sources in the dashboard, whether they are ds.search or ds.savedSearch. For visualizations, you can only define global defaults for options available to all visualizations, such as |
| Component (data source or visualization) type | Options set at the component type level apply to all data sources or visualizations of that type in the dashboard. For example, you can configure a default refresh rate of 10 minutes for all ds.savedSearch searches, which overrides any global default refresh rate configured for all data sources. |
Override behavior between global and component type defaults and component-level settings
You can define a data source or visualization option in multiple places in the dashboard definition:
-
Global default
-
Component type default
-
Component-level setting
If you define an option in multiple places in the dashboard definition, the most specific setting takes precedence, overriding the less specific defaults. For example, if the dashboard definition contains a global default and a component-level setting for the same option, the component-level setting takes precedence and overrides the global default, since it is more specific.
Consider a dashboard that includes 2 pie charts and 4 single value visualizations: Active users, Engaged users, <Model 1> acceptance ratio, and <Model 2> acceptance ratio.
If the global default for visualizations for showLastUpdated is defined as true and showLastUpdated is not defined elsewhere in the dashboard definition, all visualizations show the last updated time.
The following shows the defaults and visualizations stanzas for this example. Note that
showLastUpdated is not defined for any visualizations in the visualizations stanza. For visualizations, the defaults stanza only contains a global default and does not contain any component type defaults. This source code sample is not a complete dashboard definition, as it omits stanzas as to highlight the example:{
"title": "AI Adoption at Buttercup Enterprises",
...
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
}
}
},
"visualizations": {
"global": {
"showLastUpdated": true
}
}
},
"visualizations": {
"viz_aeitXBL7": {
"options": {
"markdown": "### AI Adoption Overview\nTracks high level usage by active users (used an AI model at least once) and engaged users (higher usage). Tracks usage by team, with the ability to split model usage by popular use cases. "
},
"type": "splunk.markdown"
},
"viz_cUFo30qJ": {
"dataSources": {
"primary": "ds_2egZsakq"
},
"options": {
"backgroundColor": "#ffffff",
"majorValue": "> sparklineValues | lastPoint()",
"sparklineDisplay": "off",
"sparklineValues": "> primary | seriesByName(\"$model_1$\")",
"trendDisplay": "off",
"trendValue": "> sparklineValues | delta(-2)",
"unit": "%"
},
"title": "$model_1$ acceptance ratio",
"type": "splunk.singlevalue"
},
"viz_fEJFjBK9": {
"dataSources": {
"primary": "ds_ZaoUFXR3"
},
"title": "$model_2$ Usage by teams",
"type": "splunk.pie"
},
"viz_hKK7JIUo": {
"dataSources": {
"primary": "ds_IWqThW5A"
},
"eventHandlers": [
{
"options": {
"newTab": true,
"type": "auto"
},
"type": "drilldown.linkToSearch"
}
],
"options": {
"majorValue": "> sparklineValues | lastPoint()",
"sparklineDisplay": "off",
"sparklineValues": "> primary | seriesByName('$model_2$')",
"trendDisplay": "off",
"trendValue": "> sparklineValues | delta(-2)",
"unit": "%"
},
"title": "$model_2$ acceptance ratio",
"type": "splunk.singlevalue"
},
"viz_jZYfH86x": {
"dataSources": {
"primary": "ds_1KfEDBSo"
},
"options": {
"backgroundColor": "#ffffff"
},
"title": "$model_1$ Usage by teams",
"type": "splunk.pie"
},
"viz_l7rwG61Q": {
"context": {
"trendColorEditorConfig": [
{
"to": 0,
"value": "#7B56DB"
},
{
"from": 0,
"value": "#009CEB"
}
]
},
"cornerRadius": [
8,
8,
8,
8
],
"dataSources": {
"primary": "ds_sORfOmga"
},
"options": {
"majorFontSize": 48,
"showSparklineAreaGraph": true,
"sparklineStrokeColor": "> trendValue | rangeValue(trendColorEditorConfig)",
"trendColor": "> trendValue | rangeValue(trendColorEditorConfig)",
"trendFontSize": 24
},
"title": "Active users",
"type": "splunk.singlevalue"
},
"viz_sJjJhflO": {
"context": {
"trendColorEditorConfig": [
{
"to": 0,
"value": "#7B56DB"
},
{
"from": 0,
"value": "#009CEB"
}
]
},
"cornerRadius": [
8,
8,
8,
8
],
"dataSources": {
"primary": "ds_sORfOmga"
},
"options": {
"majorFontSize": 48,
"majorValue": "> sparklineValues | lastPoint()",
"showSparklineAreaGraph": true,
"sparklineStrokeColor": "> trendValue | rangeValue(trendColorEditorConfig)",
"sparklineValues": "> primary | seriesByName('engaged_users')",
"trendColor": "> trendValue | rangeValue(trendColorEditorConfig)",
"trendFontSize": 24,
"trendValue": "> sparklineValues | delta(-2)"
},
"title": "Engaged users",
"type": "splunk.singlevalue"
}
},
...
}Now we define a component type default to define showLastUpdated as false for single value visualizations. The 4 single value visualizations no longer display the last updated time, as the component type default takes precedence and overrides the global default. The pie charts, which do not have any component type default, continue to display the last updated time as per the global default.
The following shows the defaults and visualizations stanzas for this example. Note that
showLastUpdated is still not defined for any visualizations in the visualizations stanza. This source code sample is not a complete dashboard definition, as it omits stanzas as to highlight the example:{
"title": "AI Adoption at Buttercup Enterprises",
...
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
}
}
},
"visualizations": {
"global": {
"showLastUpdated": true
},
"splunk.singlevalue": {
"showLastUpdated": false
},
}
},
"visualizations": {
"viz_aeitXBL7": {
"options": {
"markdown": "### AI Adoption Overview\nTracks high level usage by active users (used an AI model at least once) and engaged users (higher usage). Tracks usage by team, with the ability to split model usage by popular use cases. "
},
"type": "splunk.markdown"
},
"viz_cUFo30qJ": {
"dataSources": {
"primary": "ds_2egZsakq"
},
"options": {
"backgroundColor": "#ffffff",
"majorValue": "> sparklineValues | lastPoint()",
"sparklineDisplay": "off",
"sparklineValues": "> primary | seriesByName(\"$model_1$\")",
"trendDisplay": "off",
"trendValue": "> sparklineValues | delta(-2)",
"unit": "%"
},
"title": "$model_1$ acceptance ratio",
"type": "splunk.singlevalue"
},
"viz_fEJFjBK9": {
"dataSources": {
"primary": "ds_ZaoUFXR3"
},
"title": "$model_2$ Usage by teams",
"type": "splunk.pie"
},
"viz_hKK7JIUo": {
"dataSources": {
"primary": "ds_IWqThW5A"
},
"eventHandlers": [
{
"options": {
"newTab": true,
"type": "auto"
},
"type": "drilldown.linkToSearch"
}
],
"options": {
"majorValue": "> sparklineValues | lastPoint()",
"sparklineDisplay": "off",
"sparklineValues": "> primary | seriesByName('$model_2$')",
"trendDisplay": "off",
"trendValue": "> sparklineValues | delta(-2)",
"unit": "%"
},
"title": "$model_2$ acceptance ratio",
"type": "splunk.singlevalue"
},
"viz_jZYfH86x": {
"dataSources": {
"primary": "ds_1KfEDBSo"
},
"options": {
"backgroundColor": "#ffffff"
},
"title": "$model_1$ Usage by teams",
"type": "splunk.pie"
},
"viz_l7rwG61Q": {
"context": {
"trendColorEditorConfig": [
{
"to": 0,
"value": "#7B56DB"
},
{
"from": 0,
"value": "#009CEB"
}
]
},
"cornerRadius": [
8,
8,
8,
8
],
"dataSources": {
"primary": "ds_sORfOmga"
},
"options": {
"majorFontSize": 48,
"showSparklineAreaGraph": true,
"sparklineStrokeColor": "> trendValue | rangeValue(trendColorEditorConfig)",
"trendColor": "> trendValue | rangeValue(trendColorEditorConfig)",
"trendFontSize": 24
},
"title": "Active users",
"type": "splunk.singlevalue"
},
"viz_sJjJhflO": {
"context": {
"trendColorEditorConfig": [
{
"to": 0,
"value": "#7B56DB"
},
{
"from": 0,
"value": "#009CEB"
}
]
},
"cornerRadius": [
8,
8,
8,
8
],
"dataSources": {
"primary": "ds_sORfOmga"
},
"options": {
"majorFontSize": 48,
"majorValue": "> sparklineValues | lastPoint()",
"showSparklineAreaGraph": true,
"sparklineStrokeColor": "> trendValue | rangeValue(trendColorEditorConfig)",
"sparklineValues": "> primary | seriesByName('engaged_users')",
"trendColor": "> trendValue | rangeValue(trendColorEditorConfig)",
"trendFontSize": 24,
"trendValue": "> sparklineValues | delta(-2)"
},
"title": "Engaged users",
"type": "splunk.singlevalue"
}
},
...
}showLastUpdated to true. The Model 2 acceptance ratio visualization now displays the last updated time, as the component-level option takes precedence and overrides any defaults. The 3 other single visualizations continue to not display the last updated time, according to the component type default, while the pie charts continue to display the last updated time as per the global default.The following shows the defaults and visualizations stanzas for this example. This source code sample is not a complete dashboard definition, as it omits stanzas as to highlight the example:
{
"title": "AI Adoption at Buttercup Enterprises",
...
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
}
}
},
"visualizations": {
"global": {
"showLastUpdated": true
},
"splunk.singlevalue": {
"showLastUpdated": false
},
}
},
"visualizations": {
"viz_aeitXBL7": {
"options": {
"markdown": "### AI Adoption Overview\nTracks high level usage by active users (used an AI model at least once) and engaged users (higher usage). Tracks usage by team, with the ability to split model usage by popular use cases. "
},
"type": "splunk.markdown"
},
"viz_cUFo30qJ": {
"dataSources": {
"primary": "ds_2egZsakq"
},
"options": {
"backgroundColor": "#ffffff",
"majorValue": "> sparklineValues | lastPoint()",
"sparklineDisplay": "off",
"sparklineValues": "> primary | seriesByName(\"$model_1$\")",
"trendDisplay": "off",
"trendValue": "> sparklineValues | delta(-2)",
"unit": "%"
},
"title": "$model_1$ acceptance ratio",
"type": "splunk.singlevalue"
},
"viz_fEJFjBK9": {
"dataSources": {
"primary": "ds_ZaoUFXR3"
},
"title": "$model_2$ Usage by teams",
"type": "splunk.pie"
},
"viz_hKK7JIUo": {
"dataSources": {
"primary": "ds_IWqThW5A"
},
"eventHandlers": [
{
"options": {
"newTab": true,
"type": "auto"
},
"type": "drilldown.linkToSearch"
}
],
"options": {
"majorValue": "> sparklineValues | lastPoint()",
"sparklineDisplay": "off",
"sparklineValues": "> primary | seriesByName('$model_2$')",
"trendDisplay": "off",
"trendValue": "> sparklineValues | delta(-2)",
"unit": "%"
},
"title": "$model_2$ acceptance ratio",
"type": "splunk.singlevalue",
"showLastUpdated":true
},
"viz_jZYfH86x": {
"dataSources": {
"primary": "ds_1KfEDBSo"
},
"options": {
"backgroundColor": "#ffffff"
},
"title": "$model_1$ Usage by teams",
"type": "splunk.pie"
},
"viz_l7rwG61Q": {
"context": {
"trendColorEditorConfig": [
{
"to": 0,
"value": "#7B56DB"
},
{
"from": 0,
"value": "#009CEB"
}
]
},
"cornerRadius": [
8,
8,
8,
8
],
"dataSources": {
"primary": "ds_sORfOmga"
},
"options": {
"majorFontSize": 48,
"showSparklineAreaGraph": true,
"sparklineStrokeColor": "> trendValue | rangeValue(trendColorEditorConfig)",
"trendColor": "> trendValue | rangeValue(trendColorEditorConfig)",
"trendFontSize": 24
},
"title": "Active users",
"type": "splunk.singlevalue"
},
"viz_sJjJhflO": {
"context": {
"trendColorEditorConfig": [
{
"to": 0,
"value": "#7B56DB"
},
{
"from": 0,
"value": "#009CEB"
}
]
},
"cornerRadius": [
8,
8,
8,
8
],
"dataSources": {
"primary": "ds_sORfOmga"
},
"options": {
"majorFontSize": 48,
"majorValue": "> sparklineValues | lastPoint()",
"showSparklineAreaGraph": true,
"sparklineStrokeColor": "> trendValue | rangeValue(trendColorEditorConfig)",
"sparklineValues": "> primary | seriesByName('engaged_users')",
"trendColor": "> trendValue | rangeValue(trendColorEditorConfig)",
"trendFontSize": 24,
"trendValue": "> sparklineValues | delta(-2)"
},
"title": "Engaged users",
"type": "splunk.singlevalue"
}
},
...
}Dashboard definition example with data source defaults and overrides
The following example shows a dashboard with 2 data sources. One data source has a refresh time set at the component level, which overrides the refresh time set in the defaults stanza. The other data source defaults to the global default refresh rate setting.
Expand the box to view the complete definition. You can copy/paste the code into your own instance to see the data at work.
{
"title": "Dashboard Defaults Example",
"description": "",
"inputs": {},
"defaults": {
"dataSources": {
"global": {
"options": {
"queryParameters": {
"earliest": "-4h@m"
},
"refresh": "3s"
}
}
}
},
"visualizations": {
"viz_SLVQrcIj": {
"dataSources": {
"primary": "ds_ynckpPQp_ds_PXwQLKU6"
},
"description": "from defaults",
"options": {},
"title": "refresh=\"3s\"",
"type": "splunk.singlevalue"
},
"viz_jNoJyUkt": {
"dataSources": {
"primary": "ds_PXwQLKU6"
},
"description": "from component",
"options": {},
"title": "refresh=\"10s\"",
"type": "splunk.singlevalue"
}
},
"dataSources": {
"ds_PXwQLKU6": {
"name": "Search_1",
"options": {
"query": "index=_internal \n| stats count",
"refresh": "10s"
},
"type": "ds.search"
},
"ds_ynckpPQp_ds_PXwQLKU6": {
"name": "Copy of Search_1",
"options": {
"query": "index=_internal \n| stats count"
},
"type": "ds.search"
}
},
"layout": {
"layoutDefinitions": {
"layout_1": {
"structure": [
{
"item": "viz_jNoJyUkt",
"position": {
"h": 150,
"w": 150,
"x": 490,
"y": 50
},
"type": "block"
},
{
"item": "viz_SLVQrcIj",
"position": {
"h": 150,
"w": 160,
"x": 680,
"y": 50
},
"type": "block"
}
],
"type": "absolute"
}
},
"tabs": {
"items": [
{
"label": "New tab",
"layoutId": "layout_1"
}
]
}
}
}
Dashboard definition example with visualization defaults and overrides for dynamic options
The following example shows a a dashboard with 3 tables, Network Connection Attempts Log, VPN User Session Log, and Firewall Policy Enforcement Log. A component type default is set for tables to apply dynamic coloring for values in the Result column: green for Allowed and Red for Blocked. The Firewall Policy Enforcement Log table has component-level dynamic coloring configured for the Result column: orange for Allowed and yellow for Blocked, which overrides the default. The other tables default to the component type default dynamic color setting.
Note that when configuring defaults for dynamic options, you must also include the context sub-stanza in the defaults stanza as well as the options sub-stanza.
Expand the box to view the complete definition. You can copy/paste the code into your own instance to see the data at work.
{
"title": "Network Traffic",
"description": "",
"inputs": {
"input_global_trp": {
"options": {
"defaultValue": "-24h@h,now",
"token": "global_time"
},
"title": "Global Time Range",
"type": "input.timerange"
}
},
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
}
}
},
"visualizations": {
"global": {
"showProgressBar": true
},
"splunk.table": {
"context": {
"ResultRowBackgroundColorsEditorConfig": [
{
"match": "Allowed",
"value": "#008000"
},
{
"match": "Blocked",
"value": "#FF0000"
}
],
"ResultRowColorsEditorConfig": [
"#3c444d"
]
},
"options": {
"columnFormat": {
"Result": {
"align": "auto",
"data": "> table | seriesByName(\"Result\") | formatByType(ResultColumnFormatEditorConfig)",
"headerAlign": "auto",
"rowBackgroundColors": "> table | seriesByName(\"Result\") | matchValue(ResultRowBackgroundColorsEditorConfig)",
"rowColors": "> table | seriesByName('Result') | pick(ResultRowColorsEditorConfig)",
"textOverflow": "break-word"
}
},
"tableFormat": {
"rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByTheme)"
}
}
}
}
},
"visualizations": {
"viz_GKnrWbXM": {
"context": {
"ResultColumnFormatEditorConfig": {
"string": {
"unitPosition": "after"
}
},
"ResultRowBackgroundColorsEditorConfig": [
{
"match": "Allowed",
"value": "#FFA500"
},
{
"match": "Blocked",
"value": "#ffdd33"
}
],
"ResultRowColorsEditorConfig": [
"#3c444d"
]
},
"dataSources": {
"primary": "ds_oO82Dkp7"
},
"options": {
"columnFormat": {
"Result": {
"align": "auto",
"data": "> table | seriesByName(\"Result\") | formatByType(ResultColumnFormatEditorConfig)",
"headerAlign": "auto",
"rowBackgroundColors": "> table | seriesByName(\"Result\") | matchValue(ResultRowBackgroundColorsEditorConfig)",
"rowColors": "> table | seriesByName('Result') | pick(ResultRowColorsEditorConfig)",
"textOverflow": "break-word"
}
}
},
"title": "Firewall Policy Enforcement Log",
"type": "splunk.table"
},
"viz_K9ZIBWXa": {
"dataSources": {
"primary": "ds_79gKtbrB"
},
"title": "VPN User Session Log",
"type": "splunk.table"
},
"viz_tJrY10th": {
"dataSources": {
"primary": "ds_xC3W66iw"
},
"title": "Network Connection Attempts Log",
"type": "splunk.table"
}
},
"dataSources": {
"ds_79gKtbrB": {
"name": "Search_3",
"options": {
"query": "| makeresults count=8\n| streamstats count as row_num\n| eval Timestamp = case(\n row_num=1, \"2025-10-30 11:00:10 UTC\",\n row_num=2, \"2025-10-30 11:01:05 UTC\",\n row_num=3, \"2025-10-30 11:02:30 UTC\",\n row_num=4, \"2025-10-30 11:03:15 UTC\",\n row_num=5, \"2025-10-30 11:04:00 UTC\",\n row_num=6, \"2025-10-30 11:05:20 UTC\",\n row_num=7, \"2025-10-30 11:06:10 UTC\",\n row_num=8, \"2025-10-30 11:07:00 UTC\"\n)\n| eval Username = case(\n row_num=1, \"akhan\",\n row_num=2, \"cgarcia\",\n row_num=3, \"mlin\",\n row_num=4, \"dschmidt\",\n row_num=5, \"psharma\",\n row_num=6, \"jwilliams\",\n row_num=7, \"srossi\",\n row_num=8, \"ktanaka\"\n)\n| eval Source_IP = case(\n row_num=1, \"72.21.99.1\",\n row_num=2, \"104.16.2.3\",\n row_num=3, \"198.51.100.10\",\n row_num=4, \"72.21.99.1\",\n row_num=5, \"203.0.113.25\",\n row_num=6, \"104.16.2.3\",\n row_num=7, \"198.51.100.10\",\n row_num=8, \"1.2.3.4\"\n)\n| eval VPN_Gateway = case(\n row_num=1, \"vpn-us-east-01\",\n row_num=2, \"vpn-us-west-02\",\n row_num=3, \"vpn-us-east-01\",\n row_num=4, \"vpn-us-east-01\",\n row_num=5, \"vpn-us-west-02\",\n row_num=6, \"vpn-us-west-02\",\n row_num=7, \"vpn-us-east-01\",\n row_num=8, \"vpn-us-east-01\"\n)\n| eval Connection_Duration_min = case(\n row_num=1, 60,\n row_num=2, 120,\n row_num=3, 45,\n row_num=4, 0,\n row_num=5, 90,\n row_num=6, 0,\n row_num=7, 30,\n row_num=8, 0\n)\n| eval Data_Transferred_MB = case(\n row_num=1, 500,\n row_num=2, 1200,\n row_num=3, 300,\n row_num=4, 0,\n row_num=5, 800,\n row_num=6, 0,\n row_num=7, 200,\n row_num=8, 0\n)\n| eval Authentication_Method = case(\n row_num=1, \"MFA\",\n row_num=2, \"MFA\",\n row_num=3, \"MFA\",\n row_num=4, \"Password\",\n row_num=5, \"MFA\",\n row_num=6, \"Password\",\n row_num=7, \"MFA\",\n row_num=8, \"Password\"\n)\n| eval Result = case(\n row_num=1, \"Allowed\",\n row_num=2, \"Allowed\",\n row_num=3, \"Allowed\",\n row_num=4, \"Blocked\",\n row_num=5, \"Allowed\",\n row_num=6, \"Blocked\",\n row_num=7, \"Allowed\",\n row_num=8, \"Blocked\"\n)\n| table Timestamp, Username, Source_IP, VPN_Gateway, Connection_Duration_min, Data_Transferred_MB, Result, Authentication_Method"
},
"type": "ds.search"
},
"ds_oO82Dkp7": {
"name": "Search_1",
"options": {
"query": "| makeresults count=7\n| streamstats count as row_num\n| eval Timestamp = case(\n row_num=1, \"2025-10-30 10:15:03 UTC\",\n row_num=2, \"2025-10-30 10:15:25 UTC\",\n row_num=3, \"2025-10-30 10:16:10 UTC\",\n row_num=4, \"2025-10-30 10:16:55 UTC\",\n row_num=5, \"2025-10-30 10:17:30 UTC\",\n row_num=6, \"2025-10-30 10:18:01 UTC\",\n row_num=7, \"2025-10-30 10:18:40 UTC\"\n)\n| eval Source_IP = case(\n row_num=1, \"172.16.0.10\",\n row_num=2, \"203.0.113.5\",\n row_num=3, \"192.168.1.200\",\n row_num=4, \"10.0.0.50\",\n row_num=5, \"192.168.2.5\",\n row_num=6, \"203.0.113.8\",\n row_num=7, \"172.16.0.10\"\n)\n| eval Destination_IP = case(\n row_num=1, \"10.0.0.20\",\n row_num=2, \"192.168.1.100\",\n row_num=3, \"10.0.0.30\",\n row_num=4, \"172.16.0.15\",\n row_num=5, \"10.0.0.25\",\n row_num=6, \"192.168.1.150\",\n row_num=7, \"10.0.0.20\"\n)\n| eval Policy_Name = case(\n row_num=1, \"Internal_Access_Policy\",\n row_num=2, \"External_Inbound_Rules\",\n row_num=3, \"Server_Zone_Policy\",\n row_num=4, \"Data_Exfiltration_Prev\",\n row_num=5, \"Guest_Network_Policy\",\n row_num=6, \"Threat_Intelligence\",\n row_num=7, \"Internal_Access_Policy\"\n)\n| eval Rule_ID = case(\n row_num=1, \"FW-001\",\n row_num=2, \"FW-007\",\n row_num=3, \"FW-003\",\n row_num=4, \"FW-012\",\n row_num=5, \"FW-005\",\n row_num=6, \"FW-015\",\n row_num=7, \"FW-001\"\n)\n| eval Result = case(\n row_num=1, \"Allowed\",\n row_num=2, \"Blocked\",\n row_num=3, \"Allowed\",\n row_num=4, \"Blocked\",\n row_num=5, \"Allowed\",\n row_num=6, \"Blocked\",\n row_num=7, \"Allowed\"\n)\n| eval Threat_Category = case(\n row_num=1, \"N/A\",\n row_num=2, \"Port Scan\",\n row_num=3, \"N/A\",\n row_num=4, \"Unauthorized Data Transfer\",\n row_num=5, \"N/A\",\n row_num=6, \"Known Malicious IP\",\n row_num=7, \"N/A\"\n)\n| table Timestamp, Source_IP, Destination_IP, Policy_Name, Rule_ID, Result, Threat_Category"
},
"type": "ds.search"
},
"ds_xC3W66iw": {
"name": "Search_2",
"options": {
"query": "| makeresults count=7\n| streamstats count as row_num\n| eval Timestamp = case(\n row_num=1, \"2025-10-30 10:05:12 UTC\",\n row_num=2, \"2025-10-30 10:05:30 UTC\",\n row_num=3, \"2025-10-30 10:06:01 UTC\",\n row_num=4, \"2025-10-30 10:06:45 UTC\",\n row_num=5, \"2025-10-30 10:07:18 UTC\",\n row_num=6, \"2025-10-30 10:08:05 UTC\",\n row_num=7, \"2025-10-30 10:08:50 UTC\"\n)\n| eval Source_IP = case(\n row_num=1, \"192.168.1.10\",\n row_num=2, \"172.16.0.25\",\n row_num=3, \"192.168.1.15\",\n row_num=4, \"203.0.113.12\",\n row_num=5, \"192.168.2.30\",\n row_num=6, \"10.0.0.20\",\n row_num=7, \"192.168.1.10\"\n)\n| eval Destination_IP = case(\n row_num=1, \"10.0.0.5\",\n row_num=2, \"192.168.1.100\",\n row_num=3, \"10.0.0.10\",\n row_num=4, \"192.168.1.50\",\n row_num=5, \"10.0.0.15\",\n row_num=6, \"192.168.1.20\",\n row_num=7, \"10.0.0.5\"\n)\n| eval Port = case(\n row_num=1, 443,\n row_num=2, 22,\n row_num=3, 80,\n row_num=4, 3389,\n row_num=5, 53,\n row_num=6, 21,\n row_num=7, 443\n)\n| eval Protocol = case(\n row_num=1, \"TCP\",\n row_num=2, \"TCP\",\n row_num=3, \"TCP\",\n row_num=4, \"TCP\",\n row_num=5, \"UDP\",\n row_num=6, \"TCP\",\n row_num=7, \"TCP\"\n)\n| eval User_Agent = case(\n row_num=1, \"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\n row_num=2, \"SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1\",\n row_num=3, \"Chrome/107.0.0.0 Safari/537.36\",\n row_num=4, \"-\",\n row_num=5, \"-\",\n row_num=6, \"FileZilla/3.60.2\",\n row_num=7, \"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"\n)\n| eval Result = case(\n row_num=1, \"Allowed\",\n row_num=2, \"Blocked\",\n row_num=3, \"Allowed\",\n row_num=4, \"Blocked\",\n row_num=5, \"Allowed\",\n row_num=6, \"Blocked\",\n row_num=7, \"Allowed\"\n)\n| table Timestamp, Source_IP, Destination_IP, Port, Protocol, User_Agent, Result"
},
"type": "ds.search"
}
},
"layout": {
"globalInputs": [
"input_global_trp"
],
"layoutDefinitions": {
"layout_1": {
"options": {
"display": "auto",
"height": 960,
"width": 1440
},
"structure": [
{
"item": "viz_tJrY10th",
"position": {
"h": 340,
"w": 680,
"x": 20,
"y": 20
},
"type": "block"
},
{
"item": "viz_GKnrWbXM",
"position": {
"h": 300,
"w": 1380,
"x": 20,
"y": 370
},
"type": "block"
},
{
"item": "viz_K9ZIBWXa",
"position": {
"h": 340,
"w": 680,
"x": 720,
"y": 20
},
"type": "block"
}
],
"type": "absolute"
}
},
"options": {},
"tabs": {
"items": [
{
"label": "New tab",
"layoutId": "layout_1"
}
]
}
}
}