Cisco Networks Overview | `check_multi_tenancy` true | tstats values(nodename) AS nodename count FROM datamodel=Cisco_IOS_Event WHERE Cisco_IOS_Event.product IN ($product_selection$) Cisco_IOS_Event.index IN ($tenant_indexes$) BY host Cisco_IOS_Event.index | rename Cisco_IOS_Event.index AS index $earliest$ $latest$ | tstats count AS "Count of Event" from datamodel=Cisco_IOS_Event where (nodename = Cisco_IOS_Event) Cisco_IOS_Event.product IN ($product_selection$) Cisco_IOS_Event.index IN ($tenant_indexes$) groupby Cisco_IOS_Event.mnemonic prestats=true | stats dedup_splitvals=t count AS "Count of Event" by Cisco_IOS_Event.mnemonic | sort limit=0 -"Count of Event" | fields - _span | rename Cisco_IOS_Event.mnemonic AS mnemonic | fillnull "Count of Event" | fields mnemonic, "Count of Event" $earliest$ $latest$

Tenant tenant_name index | `get_tenants_for_user_role($env:user$)` * , All Product IOS WLC AP IOS , Time period -24h@h now

Switch to real-time mode search nodename=Cisco_IOS_Event | stats sum(count) Events | stats dc(host) Unique devices inventory_devices search nodename=Cisco_IOS_Event.Authentication.Device_Authentication | stats count Device logins auditing_dashboard search nodename=Cisco_IOS_Event.Configuration | stats count Config changes auditing_config_change_transactions search nodename=Cisco_IOS_Event.DOT1X_Event | stats sum(count) 802.1x events security_authentications | stats dc(index) Unique indexes | tstats count AS "Count of Event" from datamodel=Cisco_IOS_Event where (nodename = Cisco_IOS_Event) Cisco_IOS_Event.product IN ($product_selection$) Cisco_IOS_Event.index IN ($tenant_indexes$) groupby _time host prestats=true | eval host='host', _time='_time' | timechart dedup_splitvals=t limit=10 useother=f count AS "Count of Event" by host format=$$VAL$$:::$$AGG$$ | sort limit=0 _time | fields _time * linear linear Count of Event right ellipsisEnd stacked gaps 0.01 shiny visible visible area all 0 ellipsisNone 0 visible false inherit 50 10 area | tstats count(Cisco_IOS_Event.severity_id) AS "Count of severity_id" from datamodel=Cisco_IOS_Event where (nodename = Cisco_IOS_Event) Cisco_IOS_Event.product IN ($product_selection$) Cisco_IOS_Event.index IN ($tenant_indexes$) groupby Cisco_IOS_Event.severity_id_and_name, Cisco_IOS_Event.severity_id prestats=true | stats dedup_splitvals=t count(Cisco_IOS_Event.severity_id) AS "Count of severity_id" by Cisco_IOS_Event.severity_id_and_name, Cisco_IOS_Event.severity_id | sort limit=100 -"Count of severity_id" | fields - _span | rename Cisco_IOS_Event.severity_id_and_name AS severity_id_and_name Cisco_IOS_Event.severity_id AS severity_id | fillnull "Count of severity_id" | fields severity_id_and_name, severity_id, "Count of severity_id" | sort - severity_id | eval SN="" | xyseries SN severity_id_and_name "Count of severity_id" | rename SN AS "Severity name" | sort -"0 - emergency" -"1 - alert" -"2 - critical" -"3 - error" -"4 - warning" -"5 - notification" -"6 - informational" -"7 - debugging" | table "Severity name" "0 - emergency" "1 - alert" "2 - critical" "3 - error" "4 - warning" "5 - notification" "6 - informational" "7 - debugging" linear linear right ellipsisMiddle default gaps 0.01 shiny visible visible bar all 0 ellipsisNone 0 visible false inherit false 50 10 area | tstats count AS "Count of Event" from datamodel=Cisco_IOS_Event where (nodename = Cisco_IOS_Event) Cisco_IOS_Event.product IN ($product_selection$) Cisco_IOS_Event.index IN ($tenant_indexes$) Cisco_IOS_Event.mnemonic = "*" groupby _time Cisco_IOS_Event.mnemonic prestats=true | eval "Cisco_IOS_Event.mnemonic"='Cisco_IOS_Event.mnemonic', _time='_time' | timechart dedup_splitvals=t limit=10 useother=t count AS "Count of Event" by Cisco_IOS_Event.mnemonic format=$$VAL$$:::$$AGG$$ | sort limit=0 _time | fields _time * linear linear Count of Event right ellipsisMiddle stacked gaps 0.01 shiny visible visible area all 0 ellipsisNone 0 visible false inherit 50 10 area eventtype="cisco_ios-port_down" OR eventtype="cisco_ios-port_up" product IN ($product_selection$) index IN ($tenant_indexes$) | stats count, latest(vendor_action) AS port_status, latest(src_interface_description) AS description BY host,src_interface | sort -count | table host,src_interface,port_status,description,count falsetruenonerow10 eventtype="cisco_ios-err_disable" product IN ($product_selection$) index IN ($tenant_indexes$) | `normalize-int(src_int_prefix_long,src_int_suffix,"src_interface")` | stats count(src_interface) AS Amount BY host,src_interface,disable_cause | rename src_interface AS Interface, disable_cause AS Cause truefalsenonecell eventtype="cisco_ios-diag" product IN ($product_selection$) index IN ($tenant_indexes$) | eval eventcode=facility + "-" + severity_id + "-" + mnemonic | stats count AS Count, latest(_time) AS _time, latest(severity_id) AS severity_id latest(message_text) AS message_text by host, eventcode | lookup cisco_ios_severity severity_id | sort +severity_id,-Count |table _time, host, eventcode, message_text, severity_id_and_name, Count | rename eventcode AS Event, message_text AS Message, severity_id_and_name AS Severity truefalsenonerow10 | head 10 1 linear linear none ellipsisMiddle default gaps 0.01 shiny visible visible bar all 0 | tail 10 1 linear linear none ellipsisMiddle default gaps 0.01 shiny visible visible bar all 0