arkime
Enable Features in Multiviewer
Please enable the Hunt and Stats->ES Indices, ES Tasks, ES Shards, and ES Recovery within the Multiviewer. We use the multiviewer as a unified interface for our SOC and it is missing these important features.
Team, any update on this issue? Blocker for community feedback from our team (VMW).
What is VMW?
The stats pages would probably be relatively easy to add, however the hunts/shortcuts features would require a lot of work. Currently it isn't a top priority and we are still deciding if we should be adding these features to multiviewer or instead build these types of features directly into the UI so you select the clusters you want to search against there.
While the missing Stats pages are mostly a convenience (we can see that data in Kibana monitoring), the Hunt feature is really needed by our SOC. We have a single multiviewer handling six clusters and right now the SOC is completely unable to use the Hunt feature because we don't expose the individual (non-multi) viewer instances to them.
PS I think the layout of the current Hunt page would work in the Multiviewer if it just had one more option: Cluster
Thanks for the response Andy.
I am with the SIRT at VMware (VMW). We're looking to see how we can operationalize this for some of our hunts and evaluate enrichment opportunities for our SOC t2 analysts.
Similar to Trevor, we have several clusters deployed... would be very useful to have an organic feature to a single pane of glass.
For Hunts the issue is the id is created unique to each cluster, we would need to change that. Plus lots of other stuff under the hood. Lookups has a similar issue.
If we did a multiviewer version of hunts we probably wouldn't add a pull down, since none of the other UI does that.
If we make viewer support multiple clusters, a much harder project, then we would
Still waiting on this valuable feature to be made available to our users.
5.0.0 should have all features in multiviewer except hunts and periodic queries. Making progress.