[itsi-cp-windows-indexes] definition = index = windows OR index = perfmon [itsi-cp-windows-metrics-indexes] definition = index = itsi_im_metrics ############################### CPU ############################### [monitoring_windows_cpu_mixed_mode_TRUNCATED_RESULTS] definition = union \ [|mstats latest("Processor.%_Idle_Time") AS %_Idle_Time, latest("Processor.Interrupts/sec") AS Interrupts/sec, latest("Processor.%_User_Time") AS %_User_Time WHERE `itsi-cp-windows-metrics-indexes` sourcetype="PerfmonMetrics:CPU" by host span=30s] \ [|mstats latest("% Idle Time") AS %_Idle_Time, latest("Interrupts/sec") AS Interrupts/sec, latest("% User Time") AS %_User_Time WHERE `itsi-cp-windows-metrics-indexes` sourcetype="Perfmon:CPU" by host span=30s] \ [search (`itsi-cp-windows-indexes`)(sourcetype="Perfmon:CPU" ) | eval %_Idle_Time = case( match (counter, "% Idle Time"), Value) , Interrupts/sec = case(match (counter, "Interrupts/sec"), Value) , %_User_Time = case(match (counter, "% User Time"), Value)] iseval = 0 [monitoring_windows_cpu_recommended] definition = mstats latest("Processor.%_Idle_Time") AS %_Idle_Time, latest("Processor.Interrupts/sec") AS Interrupts/sec, latest("Processor.%_User_Time") AS %_User_Time WHERE `itsi-cp-windows-metrics-indexes` sourcetype="PerfmonMetrics:CPU" by host span=30s iseval = 0 [monitoring_windows_cpu_events] definition = search (`itsi-cp-windows-indexes`)(sourcetype="Perfmon:CPU" ) | eval %_Idle_Time = case( match (counter, "% Idle Time"), Value) , Interrupts/sec = case(match (counter, "Interrupts/sec"), Value) , %_User_Time = case(match (counter, "% User Time"), Value) iseval = 0 [monitoring_windows_cpu_deprecated] definition = mstats latest("% Idle Time") AS %_Idle_Time, latest("Interrupts/sec") AS Interrupts/sec, latest("% User Time") AS %_User_Time WHERE `itsi-cp-windows-metrics-indexes` sourcetype="Perfmon:CPU" by host span=30s iseval = 0 [monitoring_windows_cpu_wrapper] definition = `monitoring_windows_cpu_recommended` iseval = 0 ############################### Logical Disk ############################### [monitoring_windows_logicaldisk_mixed_mode_TRUNCATED_RESULTS] definition = union \ [| mstats latest(LogicalDisk.Free_Megabytes) AS L_Free_Megabytes, latest(LogicalDisk.%_Free_Space) As l_storage_free_percent, min(LogicalDisk.Free_Megabytes) AS M_Free_Megabytes, min(LogicalDisk.%_Free_Space) As m_storage_free_percent, max(LogicalDisk.Avg._Disk_sec/Transfer) AS latency WHERE `itsi-cp-windows-metrics-indexes` sourcetype=PerfmonMetrics:LogicalDisk instance!=_Total instance!=Harddisk* by host,instance span=30s | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),m_storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), true(),M_Free_Megabytes), FreePct-{instance}=l_storage_free_percent,FreeMB-{instance}=L_Free_Megabytes, latency = latency * 1000] \ [|mstats latest("Free Megabytes") AS L_Free_Megabytes, latest("% Free Space") As l_storage_free_percent, min("Free Megabytes") AS M_Free_Megabytes, min("% Free Space") As m_storage_free_percent, max("Avg. Disk sec/Transfer") AS latency WHERE `itsi-cp-windows-metrics-indexes` sourcetype=Perfmon:LogicalDisk instance!=_Total instance!=Harddisk* by host,instance span=30s | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),m_storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), true(),M_Free_Megabytes), FreePct-{instance}=l_storage_free_percent,FreeMB-{instance}=L_Free_Megabytes, latency = latency * 1000] \ [search `itsi-cp-windows-indexes` sourcetype=Perfmon:LogicalDisk instance!=_Total instance!=Harddisk* | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), match (counter, "Free Megabytes"), Value), FreePct-{instance}=case( match (counter, "% Free Space"), Value),FreeMB-{instance}=case( match (counter, "Free Megabytes"), Value)] iseval = 0 [monitoring_windows_logicaldisk_recommended] definition = mstats latest(LogicalDisk.Free_Megabytes) AS L_Free_Megabytes, latest(LogicalDisk.%_Free_Space) As l_storage_free_percent, min(LogicalDisk.Free_Megabytes) AS M_Free_Megabytes, min(LogicalDisk.%_Free_Space) As m_storage_free_percent, max(LogicalDisk.Avg._Disk_sec/Transfer) AS latency WHERE `itsi-cp-windows-metrics-indexes` sourcetype=PerfmonMetrics:LogicalDisk instance!=_Total instance!=Harddisk* by host,instance span=30s | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),m_storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), true(),M_Free_Megabytes), FreePct-{instance}=l_storage_free_percent,FreeMB-{instance}=L_Free_Megabytes, latency = latency * 1000 iseval = 0 [monitoring_windows_logicaldisk_events] definition = search `itsi-cp-windows-indexes` sourcetype=Perfmon:LogicalDisk instance!=_Total instance!=Harddisk* | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), match (counter, "Free Megabytes"), Value), FreePct-{instance}=case( match (counter, "% Free Space"), Value),FreeMB-{instance}=case( match (counter, "Free Megabytes"), Value) iseval = 0 [monitoring_windows_logicaldisk_deprecated] definition = mstats latest("Free Megabytes") AS L_Free_Megabytes, latest("% Free Space") As l_storage_free_percent, min("Free Megabytes") AS M_Free_Megabytes, min("% Free Space") As m_storage_free_percent, max("Avg. Disk sec/Transfer") AS latency WHERE `itsi-cp-windows-metrics-indexes` sourcetype=Perfmon:LogicalDisk instance!=_Total instance!=Harddisk* by host,instance span=30s | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),m_storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), true(),M_Free_Megabytes), FreePct-{instance}=l_storage_free_percent,FreeMB-{instance}=L_Free_Megabytes, latency = latency * 1000 iseval = 0 [monitoring_windows_logicaldisk_wrapper] definition = `monitoring_windows_logicaldisk_recommended` iseval = 0 ############################### Memory ############################### [monitoring_windows_memory_mixed_mode_TRUNCATED_RESULTS] definition = union \ [| mstats latest("Memory.Available_MBytes") AS Available_MBytes, latest("Memory.Cache_Bytes") AS Cache_Bytes, latest("Memory.Page_Reads/sec") AS Page_Reads/sec WHERE `itsi-cp-windows-metrics-indexes` sourcetype=PerfmonMetrics:Memory by host span=30s] \ [| mstats latest("Available MBytes") AS Available_MBytes, latest("Cache Bytes") AS Cache_Bytes, latest("Page Reads/sec") AS Page_Reads/sec WHERE `itsi-cp-windows-metrics-indexes` sourcetype=Perfmon:Memory by host span=30s] \ [search `itsi-cp-windows-indexes` sourcetype=Perfmon:Memory | eval Available_MBytes = case( match (counter, "Available MBytes"), Value),Cache_Bytes = case( match (counter, "Cache Bytes"), Value), Page_Reads/sec = case( match (counter, "Page Reads/sec"), Value), Page_Writes/sec = case( match (counter, "Page Writes/sec"), Value)] iseval = 0 [monitoring_windows_memory_recommended] definition = mstats latest("Memory.Available_MBytes") AS Available_MBytes, latest("Memory.Cache_Bytes") AS Cache_Bytes, latest("Memory.Page_Reads/sec") AS Page_Reads/sec WHERE `itsi-cp-windows-metrics-indexes` sourcetype=PerfmonMetrics:Memory by host span=30s iseval = 0 [monitoring_windows_memory_events] definition = search `itsi-cp-windows-indexes` sourcetype=Perfmon:Memory | eval Available_MBytes = case( match (counter, "Available MBytes"), Value),Cache_Bytes = case( match (counter, "Cache Bytes"), Value), Page_Reads/sec = case( match (counter, "Page Reads/sec"), Value), Page_Writes/sec = case( match (counter, "Page Writes/sec"), Value) iseval = 0 [monitoring_windows_memory_deprecated] definition = mstats latest("Available MBytes") AS Available_MBytes, latest("Cache Bytes") AS Cache_Bytes, latest("Page Reads/sec") AS Page_Reads/sec WHERE `itsi-cp-windows-metrics-indexes` sourcetype=Perfmon:Memory by host span=30s iseval = 0 [monitoring_windows_memory_wrapper] definition = `monitoring_windows_memory_recommended` iseval = 0 ############################### Network ############################### [monitoring_windows_network_mixed_mode_TRUNCATED_RESULTS] definition = union \ [| mstats latest("Network_Interface.Bytes_Received/sec") AS Bytes_Received/sec, latest("Network_Interface.Current_Bandwidth") As Current_Bandwidth, latest("Network_Interface.Bytes_Sent/sec") AS Bytes_Sent/sec WHERE `itsi-cp-windows-metrics-indexes` sourcetype=PerfmonMetrics:Network instance!=isatap* by host, instance span=30s | eval HostNIC=host.":".instance | eval PctUtilRCV = 'Bytes_Received/sec'/Current_Bandwidth, PctUtilXMT = 'Bytes_Sent/sec'/Current_Bandwidth, KBpsRCV = 'Bytes_Received/sec'/1024, KBpsXMT = 'Bytes_Sent/sec'/1024] \ [| mstats latest("Bytes Received/sec") AS Bytes_Received/sec, latest("Current Bandwidth") As Current_Bandwidth, latest("Bytes Sent/sec") AS Bytes_Sent/sec WHERE `itsi-cp-windows-metrics-indexes` sourcetype=Perfmon:Network instance!=isatap* by host, instance span=30s | eval HostNIC=host.":".instance | eval PctUtilRCV = 'Bytes_Received/sec'/Current_Bandwidth, PctUtilXMT = 'Bytes_Sent/sec'/Current_Bandwidth, KBpsRCV = 'Bytes_Received/sec'/1024, KBpsXMT = 'Bytes_Sent/sec'/1024] \ [search `itsi-cp-windows-indexes` sourcetype=Perfmon:Network instance!=isatap* | eval HostNIC=host.":".instance | eval Current_Bandwidth = case( match (counter, "Current Bandwidth"), Value) | eventstats max(Current_Bandwidth) AS Current_Bandwidth by host | eval KBpsRCV = case( match (counter, "Bytes Received/sec"), Value)/1024, PctUtilRCV = case( match(counter, "Bytes Received/sec"), Value)/Current_Bandwidth | eval KBpsXMT = case( match (counter, "Bytes Sent/sec"), Value)/1024, PctUtilXMT = case( match(counter, "Bytes Sent/sec"), Value)/Current_Bandwidth] iseval = 0 [monitoring_windows_network_recommended] definition = mstats latest("Network_Interface.Bytes_Received/sec") AS Bytes_Received/sec, latest("Network_Interface.Current_Bandwidth") As Current_Bandwidth, latest("Network_Interface.Bytes_Sent/sec") AS Bytes_Sent/sec WHERE `itsi-cp-windows-metrics-indexes` sourcetype=PerfmonMetrics:Network instance!=isatap* by host, instance span=30s | eval HostNIC=host.":".instance | eval PctUtilRCV = 'Bytes_Received/sec'/Current_Bandwidth, PctUtilXMT = 'Bytes_Sent/sec'/Current_Bandwidth, KBpsRCV = 'Bytes_Received/sec'/1024, KBpsXMT = 'Bytes_Sent/sec'/1024 iseval = 0 [monitoring_windows_network_events] definition = search `itsi-cp-windows-indexes` sourcetype=Perfmon:Network instance!=isatap* | eval HostNIC=host.":".instance | eval Current_Bandwidth = case( match (counter, "Current Bandwidth"), Value) | eventstats max(Current_Bandwidth) AS Current_Bandwidth by host | eval KBpsRCV = case( match (counter, "Bytes Received/sec"), Value)/1024, PctUtilRCV = case( match(counter, "Bytes Received/sec"), Value)/Current_Bandwidth | eval KBpsXMT = case( match (counter, "Bytes Sent/sec"), Value)/1024, PctUtilXMT = case( match(counter, "Bytes Sent/sec"), Value)/Current_Bandwidth iseval = 0 [monitoring_windows_network_deprecated] definition = mstats latest("Bytes Received/sec") AS Bytes_Received/sec, latest("Current Bandwidth") As Current_Bandwidth, latest("Bytes Sent/sec") AS Bytes_Sent/sec WHERE `itsi-cp-windows-metrics-indexes` sourcetype=Perfmon:Network instance!=isatap* by host, instance span=30s | eval HostNIC=host.":".instance | eval PctUtilRCV = 'Bytes_Received/sec'/Current_Bandwidth, PctUtilXMT = 'Bytes_Sent/sec'/Current_Bandwidth, KBpsRCV = 'Bytes_Received/sec'/1024, KBpsXMT = 'Bytes_Sent/sec'/1024 iseval = 0 [monitoring_windows_network_wrapper] definition = `monitoring_windows_network_recommended` iseval = 0 ############################### Physical Disk ############################### [monitoring_windows_physicaldisk_mixed_mode_TRUNCATED_RESULTS] definition = union \ [|mstats latest("PhysicalDisk.%_Idle_Time") AS %_Idle_Time, latest("PhysicalDisk.Avg._Disk_Bytes/Read") AS Avg._Disk_Bytes/Read, latest("PhysicalDisk.Avg._Disk_Bytes/Write") AS Avg._Disk_Bytes/Write, latest("PhysicalDisk.Avg._Disk_Queue_Length") AS Avg._Disk_Queue_Length WHERE `itsi-cp-windows-metrics-indexes` sourcetype=PerfmonMetrics:PhysicalDisk instance!=_Total by host, instance span=30s| eval HostDisk=host . "-" . instance] \ [|mstats latest("% Idle Time") AS %_Idle_Time, latest("Avg. Disk Bytes/Read") AS Avg._Disk_Bytes/Read, latest("Avg. Disk Bytes/Write") AS Avg._Disk_Bytes/Write, latest("Avg. Disk Queue Length") AS Avg._Disk_Queue_Length WHERE `itsi-cp-windows-metrics-indexes` sourcetype=Perfmon:PhysicalDisk instance!=_Total by host, instance span=30s| eval HostDisk=host . "-" . instance] \ [search `itsi-cp-windows-indexes` sourcetype=Perfmon:PhysicalDisk instance!=_Total| eval HostDisk=host . "-" . instance , %_Idle_Time = case( match (counter, "% Idle Time"), Value), Avg._Disk_Bytes/Read = case( match (counter, "Avg. Disk Bytes/Read"), Value) , Avg._Disk_Bytes/Write = case( match (counter, "Avg. Disk Bytes/Write"), Value) , Avg._Disk_Queue_Length = case( match (counter, "Avg. Disk Queue Length"), Value)] iseval = 0 [monitoring_windows_physicaldisk_recommended] definition = mstats latest("PhysicalDisk.%_Idle_Time") AS %_Idle_Time, latest("PhysicalDisk.Avg._Disk_Bytes/Read") AS Avg._Disk_Bytes/Read, latest("PhysicalDisk.Avg._Disk_Bytes/Write") AS Avg._Disk_Bytes/Write, latest("PhysicalDisk.Avg._Disk_Queue_Length") AS Avg._Disk_Queue_Length WHERE `itsi-cp-windows-metrics-indexes` sourcetype=PerfmonMetrics:PhysicalDisk instance!=_Total by host, instance span=30s| eval HostDisk=host . "-" . instance iseval = 0 [monitoring_windows_physicaldisk_events] definition = search `itsi-cp-windows-indexes` sourcetype=Perfmon:PhysicalDisk instance!=_Total| eval HostDisk=host . "-" . instance , %_Idle_Time = case( match (counter, "% Idle Time"), Value), Avg._Disk_Bytes/Read = case( match (counter, "Avg. Disk Bytes/Read"), Value) , Avg._Disk_Bytes/Write = case( match (counter, "Avg. Disk Bytes/Write"), Value) , Avg._Disk_Queue_Length = case( match (counter, "Avg. Disk Queue Length"), Value) iseval = 0 [monitoring_windows_physicaldisk_deprecated] definition = mstats latest("% Idle Time") AS %_Idle_Time, latest("Avg. Disk Bytes/Read") AS Avg._Disk_Bytes/Read, latest("Avg. Disk Bytes/Write") AS Avg._Disk_Bytes/Write, latest("Avg. Disk Queue Length") AS Avg._Disk_Queue_Length WHERE `itsi-cp-windows-metrics-indexes` sourcetype=Perfmon:PhysicalDisk instance!=_Total by host, instance span=30s| eval HostDisk=host . "-" . instance iseval = 0 [monitoring_windows_physicaldisk_wrapper] definition = `monitoring_windows_physicaldisk_recommended` iseval = 0