###############################################
# CPU Searches
###############################################


### - multiple host commands ( mostly using macros )
[Percent CPU by Host (UNIX - CPU)]
disabled = 1
search = `Percent_CPU_by_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting

[Percent Load by Host (UNIX - CPU)]
disabled = 1
search = `Percent_Load_by_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting

[Top 5 CPU Processes by Host (UNIX - CPU)]
disabled = 1
search = `Top_5_CPU_Processes_by_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h
dispatch.latest_time = +0s
dispatch.ttl = 3600

[Number of Threads by Host (UNIX - CPU)]
disabled = 1
search = `Number_Threads_by_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h
dispatch.latest_time = +0s
dispatch.ttl = 3600

[Number of Processes by Host (UNIX - CPU)]
disabled = 1
search = `Number_Processes_by_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h
dispatch.latest_time = +0s
dispatch.ttl = 3600

### - Single Host Commands ( mostly using macros )
[CPU Usage by Command (UNIX - CPU)]
action.email.sendresults = 0
disabled = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None
request.ui_dispatch_view = charting
search = `CPU_Usage_by_Command_for_Host(*)` 

[CPU Usage by User (UNIX - CPU)]
action.email.sendresults = 0
disabled = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None
request.ui_dispatch_view = charting
search = `CPU_Usage_by_User_for_Host(*)` 

[Usage by State (UNIX - CPU)]
action.email.sendresults = 0
disabled = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None
search = `CPU_Usage_by_State_for_Host(*)` 
vsid = *:fvkaa7ab

[Top CPU Processes for Host (UNIX - CPU)]
action.email.sendresults = 0
disabled = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None
search = `Top_CPU_Processes_for_Host(*)`
vsid = *:fvkaa7ab


#--- Old Searches
[Consumption by User Last Hour (UNIX - CPU)]
disabled = 1
search = `os_index` source=ps | multikv | timechart avg(pctCPU) by USER useother=F limit=10
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[Top Users by Consumption Last Hour (UNIX - CPU)]
disabled = 1
search = `os_index` source=ps | multikv | timechart sum(CPUTIME) by USER where sum > 0
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[10 Most Popular Executables Last Hour (UNIX - CPU)]
disabled = 1
search = `os_index` source=lsof | multikv | search FD=txt TYPE=REG AND NOT (COMMAND=lsof OR COMMAND=lsof.sh OR COMMAND=iostat OR COMMAND=iostat.sh OR COMMAND=sar OR COMMAND=awk OR COMMAND=tee) | timechart count by COMMAND useother=F limit=10
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None


##########################################################
##  Memory Searches
##########################################################
[Mem Usage for Host (UNIX - MEM)]
disabled = 1
search = `Mem_Usage_for_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting

[Mem Usage by Command for Host (UNIX - MEM)]
disabled = 1
search = `Mem_Usage_by_Command_for_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting

[Top Mem Usage Commands for Host (UNIX - MEM)]
action.email.sendresults = 0
disabled = 1
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
search = `Top_Mem_Command_for_Host(*)`

[Top 10 Users by Resident Memory Last Hour (UNIX - MEM)]
disabled = 1
search = `Top_Users_of_VM_for_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[Mem Usage by host]
disabled = 1
search = `Percent_MEM_by_Host(1)`
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[Top Commands by Memory and Host (UNIX - MEM)]
disabled = 1
search = `Top_Mem_Processes_by_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[Physical Memory by Host (UNIX - MEM)]
disabled = 1
search = `Memory_Hardware_by_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None


[Top_Memory_Users_by_Command_by_Host]
disabled = 1
search = `Top_Memory_Users_by_Command_by_Host(*)` 
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

#############################
## Disk Saved Searches
#############################
[Percent Disk Used by Volume and Host (UNIX - Disk)]
disabled = 1
search = `Disk_Used_Pct_by_Host(*)`
dispatch.earliest_time = -1d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[Files Opened by Command (UNIX - Disk)]
action.email.sendresults = 0
disabled = 1
dispatch.earliest_time = -15m@m
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
request.ui_dispatch_view = charting
search = `Open_Files_by_Command_and_Host(*)`

[Files Opened by Type (UNIX - Disk)]
action.email.sendresults = 0
disabled = 1
dispatch.earliest_time = -15m@m
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
request.ui_dispatch_view = charting
search = `Open_Files_by_Type_and_Host(*)`

#############################
## Sources 
############################

[vmstat]
disabled = 1
search = `os_index` `memory_sourcetype`
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600


[ps]
disabled = 1
search = `os_index` `ps_sourcetype`
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600

[top]
disabled = 1
search = `os_index` `top_sourcetype`
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600

[hardware]
disabled = 1
search = `os_index` `hardware_sourcetype`
dispatch.earliest_time = -1d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600


[iostat]
disabled = 1
search = `os_index` `iostat_sourcetype`
dispatch.earliest_time = -1d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600


[netstat]
disabled = 1
search = `os_index` `netstat_sourcetype`
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600


[protocol]
disabled = 1
search = `os_index` `protocol_sourcetype`
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600


[openPorts]
disabled = 1
search = `os_index` `open_ports_sourcetype`
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600


[time]
disabled = 1
search = `os_index` `time_sourcetype`
dispatch.earliest_time = -1d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600


[lsof]
disabled = 1
search = `os_index` `lsof_sourcetype`
dispatch.earliest_time = -30m@m
dispatch.latest_time = +0s
dispatch.ttl = 3600


[df]
disabled = 1
search = `os_index` `df_sourcetype`
dispatch.earliest_time = -1d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600


[who]
disabled = 1
search = `os_index` `who_sourcetype`
dispatch.earliest_time = -1d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600


[usersWithLoginPrivs]
disabled = 1
search = `os_index` `users_with_login_privs_sourcetype`
dispatch.earliest_time = -1d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600


[lastlog]
disabled = 1
search = `os_index` `lastlog_sourcetype`
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600


[interfaces]
disabled = 1
search = `os_index` `interfaces_sourcetype`
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600


[cpu]
disabled = 1
search = `os_index` `cpu_sourcetype`
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600


[rlog]
disabled = 1
search = `os_index` `rlog_sourcetype`
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600


[package]
disabled = 1
search = `os_index` `package_sourcetype`
dispatch.earliest_time = -1d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600


#############################################
## User Searches
#############################################
[User Sessions]
disabled = 1
search = `User_Sessions_by_Host(*)` 
dispatch.earliest_time = -7d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600

[Failed Logins]
disabled = 1
search = `Failed_Logins_by_Host(*)`
dispatch.earliest_time = -30d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600

[User Add]
disabled = 1
search = `os_index` `user_add` 
dispatch.earliest_time = -30d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600

[User Delete]
disabled = 1
search = `os_index` `user_del` 
dispatch.earliest_time = -30d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600

[Group Add]
disabled = 1
search = `os_index` `group_add`
dispatch.earliest_time = -30d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600

[Group Delete]
disabled = 1
search = `os_index` `group_del` 
dispatch.earliest_time = -30d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600

[Password Change]
disabled = 1
search = `os_index` `password_change`
dispatch.earliest_time = -30d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600

[Password Change Failed]
disabled = 1
search = `os_index` `password_change_failed`
dispatch.earliest_time = -30d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600

[Failed Attempts at SU]
disabled = 1
search = `os_index` `su_failed`
dispatch.earliest_time = -30d@d
dispatch.latest_time = +0s
dispatch.ttl = 3600

#############################################
## Network Searches 
#############################################

[Thruput by Interface and Host (UNIX - NET)]
disabled = 1
search = `Thruput_by_Interface_by_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[Frequently Opened Ports (UNIX - NET)]
disabled = 1
search = `Frequently_Open_Ports_by_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[Top Inet Addresses by Host (UNIX - NET)]
disabled = 1
search = `Top_Inet_Addresses_by_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[Open Ports (UNIX - NET)]
disabled = 1
search = `Open_Ports_by_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[Addresses Connected To (UNIX - NET)]
disabled = 1
search = `Addresses_by_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[Sockets by State (UNIX - NET)]
disabled = 1
search = `Sockets_by_State_by_Host(*)`
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

#------ old searches
[Top 10 Users by Virtual Memory Last Hour (UNIX - MEM)]
disabled = 1
search = `os_index` `ps_sourcetype` | timechart avg(VSZ_KB) by USER useother=F limit=10 
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[Virtual Memory Subsystem Stats (UNIX - MEM)]
disabled = 1
search = `os_index` `memory_sourcetype` | fields + total_memory,used_memory,active_memory,inactive_memory,free_memory,buffer_memory,swap_cache,total_swap,used_swap,free_swap,pages_paged_in,pages_paged_out,pages_swapped_in,pages_swapped_out 
action.email.sendresults = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None


[Memory Usage over Last 3 Hours (UNIX - MEM)]
disabled = 1
search = `os_index` `memory_sourcetype` | timechart avg(memUsedPct) avg(memFreePct) | rename avg(memUsedPct) as "Used Mem", avg(memFreePct) as Free_Mem 
action.email.sendresults = 0
dispatch.earliest_time = -3h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[Avg Resident Memory by Process Last 3 Hours (UNIX - MEM)]
disabled = 1
search = `os_index` `ps_sourcetype` | stats sum(RSZ_KB) as total_mem by COMMAND, _time | timechart avg(total_mem) by COMMAND
action.email.sendresults = 0
dispatch.earliest_time = -3h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

[Avg Virtual Memory by Process Last 3 Hours (UNIX - MEM)]
disabled = 1
search = `os_index` `ps_sourcetype` | stats sum(VSZ_KB) as total_mem by COMMAND, _time | timechart avg(total_mem) by COMMAND
action.email.sendresults = 0
dispatch.earliest_time = -3h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600
displayview = charting
relation = None

########################################################
## Package Saved Searches
#######################################################
[Latest Packages by Host]
disabled = 1
search = `os_index` `package_sourcetype` | dedup host
dispatch.earliest_time = -24h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600

[Hardware Configurations by Host]
disabled = 1
search = `os_index` `hardware_sourcetype` | dedup host
dispatch.earliest_time = -24h@h
dispatch.latest_time = +0s
dispatch.ttl = 3600

#########################################################
## Utility Saved Searches
#########################################################
[UNIX - All Logs]
disabled = 1
search = | metadata type=sources `metadata_index` | typer | search eventtype=nix-all-logs
dispatch.earliest_time = -15m

[UNIX - All Configs]
disabled = 1
search = | metadata type=sources `metadata_index` | typer | search eventtype=nix_configs 

[UNIX - Timechart Errors Or Critical]
disabled = 1
search = `os_index` `unix_errors` | strcat source "@" host changelist | timechart count by changelist

[UNIX - Timechart Config Changes]
disabled = 1
search = `os_index` eventtype="nix_configs" | strcat source "@" host changelist | timechart count by changelist 

##########################################################
##  Alerts
##########################################################

[Alert - syslog errors last hour]
disabled = 1
action_rss = 0
counttype = number of events
enableSched = 1
quantity = 0
relation = greater than
role = Admin
schedule = 0 * * * *
search = `syslog_sourcetype` `syslog_errors` | fields +_raw
sendresults = 1
userid = 1
dispatch.earliest_time = -1h
dispatch.latest_time = +0s

##########################################################
# Home Screen (and Home Fullscreen)
##########################################################

[Dropdown Lookup - Dimension]
disabled = 1
search = |inputlookup dropdowns.csv | stats count by unix_category
action.email.sendresults = 0
dispatch.earliest_time = -15m
dispatch.latest_time = +0s
dispatch.ttl = 3600

[Dropdown Lookup - Group]
disabled = 1
search = |inputlookup dropdowns.csv | search $unix_category$ | stats count by unix_group
action.email.sendresults = 0
dispatch.earliest_time = -15m
dispatch.latest_time = +0s
dispatch.ttl = 3600

##########################################################
##  Metrics
##########################################################

[Metrics Selectable Lookup]
disabled = 1
search = | inputlookup dropdowns.csv | stats values(host) as host by unix_category unix_group  
action.email.sendresults = 0
dispatch.earliest_time = -15m
dispatch.latest_time = +0s
dispatch.ttl = 3600

##########################################################
##  Old Searches
##########################################################

[UNIX - Perf - ps mem by cmd]
disabled = 1
search = `os_index` `ps_sourcetype` | timechart avg(RSZ_KB) by COMMAND
dispatch.earliest_time = -3h

[UNIX - Perf - cpu by cmd]
disabled = 1
search = `os_index` `top_sourcetype` | timechart avg(pctCPU) by COMMAND
dispatch.earliest_time = -15m

[UNIX - Perf - iostat blk rw sec]
disabled = 1
search = `os_index` `iostat_sourcetype` | timechart avg(rReq_PS) avg(wReq_PS)
dispatch.earliest_time = -60m

[UNIX - Perf - iostat blk wr sec by host]
disabled = 1
search = `os_index` `iostat_sourcetype` | timechart avg(wReq_PS) by host
dispatch.earliest_time = -60m

[UNIX - System - lsof open files by user]
disabled = 1
search = `os_index` `lsof_sourcetype` | timechart count(USER) by USER
dispatch.earliest_time = -60m

[UNIX - System - netstat count by proto]
disabled = 1
search = `os_index` `netstat_sourcetype` | multikv | timechart count(Proto) by Proto
dispatch.earliest_time = -60m

[UNIX - System - netstat count by type]
disabled = 1
search = `os_index` `netstat_sourcetype` | multikv | timechart count(Type) by Type
dispatch.earliest_time = -60m

[UNIX - Perf - ps cpu by command]
disabled = 1
search = `os_index` `ps_sourcetype` | timechart avg(pctCPU) by COMMAND
dispatch.earliest_time = -60m

[UNIX - Perf - ps rss mem by user]
disabled = 1
search = `os_index` `ps_sourcetype` | chart avg(RSZ_KB) by USER
dispatch.earliest_time = -60m

[UNIX - Perf - ps rss mem by command]
disabled = 1
search = `os_index` `ps_sourcetype` |  timechart avg(RSZ_KB) by COMMAND
dispatch.earliest_time = -60m

[UNIX - Perf - top cpu by host]
disabled = 1
search = `os_index` `top_sourcetype` | timechart avg(pctCPU) by host
dispatch.earliest_time = -15m

[UNIX - Perf - top rss mem vs command]
disabled = 1
search = `os_index` `top_sourcetype` | timechart avg(RSZ_KB) by COMMAND
dispatch.earliest_time = -15m

[UNIX - System - vmstat free mem by host]
disabled = 1
search = `os_index` `memory_sourcetype` | timechart avg(memFreeMB) by host
dispatch.earliest_time = -15m

[UNIX - System - vmstat total mem by host]
disabled = 1
search = `os_index` `memory_sourcetype` | timechart avg(memTotalMB) by host
dispatch.earliest_time = -3h

[UNIX - Home - memory used by host realtime]
disabled = 1
search = `os_index` `memory_sourcetype` | stats latest(memUsedPct) as avg_memUsedPct by host 

[UNIX - Home - cpu used by host realtime]
disabled = 1
search = `os_index` `cpu_sourcetype` | eval pctUsed = 100-pctIdle | stats median(pctUsed) by host 

[alerts_fired]
action.email.reportServerEnabled = 0
alert.track = 0
disabled = 1
#dispatch.earliest_time = -24h@h
dispatch.earliest_time = 0
dispatch.latest_time = now
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = `cp-unix-dashboards-audit-index` action=alert_fired | table _time ss_name host alert_actions severity triggered_alerts triggered_time sid

[fired_alerts]
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = False
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = */5 * * * *
disabled = 1
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
search = | rest /services/search/jobs | search [search `cp-unix-dashboards-audit-index` action=alert_fired | fields sid] | collect `cp-unix-dashboards-firedalerts-index`

[Memory_Exceeds_MB_by_Process]
action.summary_index = 1
action.summary_index.marker = unix_aggregated_alerts
action.summary_index._name = unix_summary
alert.digest_mode = True
alert.expires = 1d
alert.suppress = 1
alert.suppress.period = 1m
alert.track = 1
auto_summarize.dispatch.earliest_time = -5m@m
cron_schedule = */5 * * * *
counttype = number of events
disabled = 1
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
quantity = 1
relation = greater than
search = `Memory_Exceeds_MB_by_Process("`_unix_alert_threshold_Memory_Exceeds_MB_by_Process`")`

[Memory_Exceeds_Percent_by_Host]
action.summary_index = 1
action.summary_index.marker = unix_aggregated_alerts
action.summary_index._name = unix_summary
alert.digest_mode = True
alert.expires = 1d
alert.suppress = 1
alert.suppress.period = 1m
alert.track = 1
auto_summarize.dispatch.earliest_time = -5m@m
cron_schedule = */5 * * * *
counttype = number of events
disabled = 1
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
quantity = 1
relation = greater than
search = `Memory_Exceeds_Percent_by_Host("`_unix_alert_threshold_Memory_Exceeds_Percent_by_Host`")`

[Memory_Exceeds_MB_by_Host]
action.summary_index = 1
action.summary_index.marker = unix_aggregated_alerts
action.summary_index._name = unix_summary
alert.digest_mode = True
alert.expires = 1d
alert.suppress = 1
alert.suppress.period = 1m
alert.track = 1
auto_summarize.dispatch.earliest_time = -5m@m
cron_schedule = */5 * * * *
counttype = number of events
disabled = 1
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
quantity = 1
relation = greater than
search = `Memory_Exceeds_MB_by_Host("`_unix_alert_threshold_Memory_Exceeds_MB_by_Host`")`

[CPU_Exceeds_Percent_by_Host]
action.summary_index = 1
action.summary_index.marker = unix_aggregated_alerts
action.summary_index._name = unix_summary
alert.digest_mode = True
alert.expires = 1d
alert.suppress = 1
alert.suppress.period = 1m
alert.track = 1
auto_summarize.dispatch.earliest_time = -5m@m
cron_schedule = */5 * * * *
counttype = number of events
disabled = 1
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
quantity = 1
relation = greater than
search = `CPU_Exceeds_Percent_by_Host("`_unix_alert_threshold_CPU_Exceeds_Percent_by_Host`")`

[CPU_Under_Percent_by_Host]
action.summary_index = 1
action.summary_index.marker = unix_aggregated_alerts
action.summary_index._name = unix_summary
alert.digest_mode = True
alert.expires = 1d
alert.suppress = 1
alert.suppress.period = 1m
alert.track = 1
auto_summarize.dispatch.earliest_time = -5m@m
cron_schedule = */5 * * * *
counttype = number of events
disabled = 1
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
quantity = 1
relation = greater than
search = `CPU_Under_Percent_by_Host("`_unix_alert_threshold_CPU_Under_Percent_by_Host`")`

[Load_Exceeds_by_Host]
action.summary_index = 1
action.summary_index.marker = unix_aggregated_alerts
action.summary_index._name = unix_summary
alert.digest_mode = True
alert.expires = 1d
alert.suppress = 1
alert.suppress.period = 1m
alert.track = 1
auto_summarize.dispatch.earliest_time = -5m@m
cron_schedule = */5 * * * *
counttype = number of events
disabled = 1
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
quantity = 1
relation = greater than
search = `Load_Exceeds_by_Host("`_unix_alert_threshold_Load_Exceeds_by_Host`")`

[Threads_Exceeds_by_Host]
action.summary_index = 1
action.summary_index.marker = unix_aggregated_alerts
action.summary_index._name = unix_summary
alert.digest_mode = True
alert.expires = 1d
alert.suppress = 1
alert.suppress.period = 1m
alert.track = 1
auto_summarize.dispatch.earliest_time = -5m@m
cron_schedule = */5 * * * *
counttype = number of events
disabled = 1
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
quantity = 1
relation = greater than
search = `Threads_Exceeds_by_Host("`_unix_alert_threshold_Threads_Exceeds_by_Host`")`

[Processes_Exceeds_by_Host]
action.summary_index = 1
action.summary_index.marker = unix_aggregated_alerts
action.summary_index._name = unix_summary
alert.digest_mode = True
alert.expires = 1d
alert.suppress = 1
alert.suppress.period = 1m
alert.track = 1
auto_summarize.dispatch.earliest_time = -5m@m
cron_schedule = */5 * * * *
counttype = number of events
disabled = 1
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
quantity = 1
relation = greater than
search = `Processes_Exceeds_by_Host("`_unix_alert_threshold_Processes_Exceeds_by_Host`")`

[Disk_Used_Exceeds_Percent_by_Host]
action.summary_index = 1
action.summary_index.marker = unix_aggregated_alerts
action.summary_index._name = unix_summary
alert.digest_mode = True
alert.expires = 1d
alert.suppress = 1
alert.suppress.period = 1m
alert.track = 1
auto_summarize.dispatch.earliest_time = -5m@m
cron_schedule = */5 * * * *
counttype = number of events
disabled = 1
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
quantity = 1
relation = greater than
search = `Disk_Used_Exceeds_Percent_by_Host("`_unix_alert_threshold_Disk_Used_Exceeds_Percent_by_Host`")`

[Open_Files_Exceeds_by_Process]
action.summary_index = 1
action.summary_index.marker = unix_aggregated_alerts
action.summary_index._name = unix_summary
alert.digest_mode = True
alert.expires = 1d
alert.suppress = 1
alert.suppress.period = 1m
alert.track = 1
auto_summarize.dispatch.earliest_time = -5m@m
cron_schedule = */5 * * * *
counttype = number of events
disabled = 1
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
quantity = 1
relation = greater than
search = `Open_Files_Exceeds_by_Process("`_unix_alert_threshold_Open_Files_Exceeds_by_Process`")`

[IO_Wait_Exceeds_Threshold]
action.summary_index = 1
action.summary_index.marker = unix_aggregated_alerts
action.summary_index._name = unix_summary
alert.digest_mode = True
alert.expires = 1d
alert.suppress = 1
alert.suppress.period = 1m
alert.track = 1
auto_summarize.dispatch.earliest_time = -5m@m
cron_schedule = */5 * * * *
counttype = number of events
disabled = 1
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
quantity = 1
relation = greater than
search = `IO_Wait_Exceeds_Threshold("`_unix_alert_threshold_IO_Wait_Exceeds_Threshold`")`

[IO_Utilization_Exceeds_Threshold]
action.summary_index = 1
action.summary_index.marker = unix_aggregated_alerts
action.summary_index._name = unix_summary
alert.digest_mode = True
alert.expires = 1d
alert.suppress = 1
alert.suppress.period = 1m
alert.track = 1
auto_summarize.dispatch.earliest_time = -5m@m
cron_schedule = */5 * * * *
counttype = number of events
disabled = 1
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
quantity = 1
relation = greater than
search = `IO_Utilization_Exceeds_Threshold("`_unix_alert_threshold_IO_Utilization_Exceeds_Threshold`")`


##########################################################
##  Dropdown Lookup Migrator
##########################################################
[dropdowns_lookup_migrate]
disabled = 1
enableSched = 1
cron_schedule = */2 * * * *
description = This savedsearch is used to populate default data in dropdown lookup if the lookup is empty
dispatch.earliest_time = 0
dispatch.latest_time = now
run_on_startup = 1
run_n_times = 1
search = | inputlookup dropdowns.csv \
| stats count \
| where count=0 \
| eval host="*" \
| eval unix_category="all_hosts" \
| eval unix_group="default" \
| table host unix_category unix_group\
| outputlookup dropdowns.csv append=t