You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1036 lines
27 KiB
1036 lines
27 KiB
###############################################
|
|
# CPU Searches
|
|
###############################################
|
|
|
|
|
|
### - multiple host commands ( mostly using macros )
|
|
[Percent CPU by Host (UNIX - CPU)]
|
|
disabled = 1
|
|
search = `Percent_CPU_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
|
|
[Percent Load by Host (UNIX - CPU)]
|
|
disabled = 1
|
|
search = `Percent_Load_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
|
|
[Top 5 CPU Processes by Host (UNIX - CPU)]
|
|
disabled = 1
|
|
search = `Top_5_CPU_Processes_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[Number of Threads by Host (UNIX - CPU)]
|
|
disabled = 1
|
|
search = `Number_Threads_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[Number of Processes by Host (UNIX - CPU)]
|
|
disabled = 1
|
|
search = `Number_Processes_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
### - Single Host Commands ( mostly using macros )
|
|
[CPU Usage by Command (UNIX - CPU)]
|
|
action.email.sendresults = 0
|
|
disabled = 1
|
|
dispatch.earliest_time = -60m@m
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
request.ui_dispatch_view = charting
|
|
search = `CPU_Usage_by_Command_for_Host(*)`
|
|
|
|
[CPU Usage by User (UNIX - CPU)]
|
|
action.email.sendresults = 0
|
|
disabled = 1
|
|
dispatch.earliest_time = -60m@m
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
request.ui_dispatch_view = charting
|
|
search = `CPU_Usage_by_User_for_Host(*)`
|
|
|
|
[Usage by State (UNIX - CPU)]
|
|
action.email.sendresults = 0
|
|
disabled = 1
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
search = `CPU_Usage_by_State_for_Host(*)`
|
|
vsid = *:fvkaa7ab
|
|
|
|
[Top CPU Processes for Host (UNIX - CPU)]
|
|
action.email.sendresults = 0
|
|
disabled = 1
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
search = `Top_CPU_Processes_for_Host(*)`
|
|
vsid = *:fvkaa7ab
|
|
|
|
|
|
#--- Old Searches
|
|
[Consumption by User Last Hour (UNIX - CPU)]
|
|
disabled = 1
|
|
search = `os_index` source=ps | multikv | timechart avg(pctCPU) by USER useother=F limit=10
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[Top Users by Consumption Last Hour (UNIX - CPU)]
|
|
disabled = 1
|
|
search = `os_index` source=ps | multikv | timechart sum(CPUTIME) by USER where sum > 0
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[10 Most Popular Executables Last Hour (UNIX - CPU)]
|
|
disabled = 1
|
|
search = `os_index` source=lsof | multikv | search FD=txt TYPE=REG AND NOT (COMMAND=lsof OR COMMAND=lsof.sh OR COMMAND=iostat OR COMMAND=iostat.sh OR COMMAND=sar OR COMMAND=awk OR COMMAND=tee) | timechart count by COMMAND useother=F limit=10
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
|
|
##########################################################
|
|
## Memory Searches
|
|
##########################################################
|
|
[Mem Usage for Host (UNIX - MEM)]
|
|
disabled = 1
|
|
search = `Mem_Usage_for_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
|
|
[Mem Usage by Command for Host (UNIX - MEM)]
|
|
disabled = 1
|
|
search = `Mem_Usage_by_Command_for_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
|
|
[Top Mem Usage Commands for Host (UNIX - MEM)]
|
|
action.email.sendresults = 0
|
|
disabled = 1
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
search = `Top_Mem_Command_for_Host(*)`
|
|
|
|
[Top 10 Users by Resident Memory Last Hour (UNIX - MEM)]
|
|
disabled = 1
|
|
search = `Top_Users_of_VM_for_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[Mem Usage by host]
|
|
disabled = 1
|
|
search = `Percent_MEM_by_Host(1)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[Top Commands by Memory and Host (UNIX - MEM)]
|
|
disabled = 1
|
|
search = `Top_Mem_Processes_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[Physical Memory by Host (UNIX - MEM)]
|
|
disabled = 1
|
|
search = `Memory_Hardware_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
|
|
[Top_Memory_Users_by_Command_by_Host]
|
|
disabled = 1
|
|
search = `Top_Memory_Users_by_Command_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
#############################
|
|
## Disk Saved Searches
|
|
#############################
|
|
[Percent Disk Used by Volume and Host (UNIX - Disk)]
|
|
disabled = 1
|
|
search = `Disk_Used_Pct_by_Host(*)`
|
|
dispatch.earliest_time = -1d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[Files Opened by Command (UNIX - Disk)]
|
|
action.email.sendresults = 0
|
|
disabled = 1
|
|
dispatch.earliest_time = -15m@m
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
request.ui_dispatch_view = charting
|
|
search = `Open_Files_by_Command_and_Host(*)`
|
|
|
|
[Files Opened by Type (UNIX - Disk)]
|
|
action.email.sendresults = 0
|
|
disabled = 1
|
|
dispatch.earliest_time = -15m@m
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
request.ui_dispatch_view = charting
|
|
search = `Open_Files_by_Type_and_Host(*)`
|
|
|
|
#############################
|
|
## Sources
|
|
############################
|
|
|
|
[vmstat]
|
|
disabled = 1
|
|
search = `os_index` `memory_sourcetype`
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[ps]
|
|
disabled = 1
|
|
search = `os_index` `ps_sourcetype`
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[top]
|
|
disabled = 1
|
|
search = `os_index` `top_sourcetype`
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[hardware]
|
|
disabled = 1
|
|
search = `os_index` `hardware_sourcetype`
|
|
dispatch.earliest_time = -1d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[iostat]
|
|
disabled = 1
|
|
search = `os_index` `iostat_sourcetype`
|
|
dispatch.earliest_time = -1d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[netstat]
|
|
disabled = 1
|
|
search = `os_index` `netstat_sourcetype`
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[protocol]
|
|
disabled = 1
|
|
search = `os_index` `protocol_sourcetype`
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[openPorts]
|
|
disabled = 1
|
|
search = `os_index` `open_ports_sourcetype`
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[time]
|
|
disabled = 1
|
|
search = `os_index` `time_sourcetype`
|
|
dispatch.earliest_time = -1d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[lsof]
|
|
disabled = 1
|
|
search = `os_index` `lsof_sourcetype`
|
|
dispatch.earliest_time = -30m@m
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[df]
|
|
disabled = 1
|
|
search = `os_index` `df_sourcetype`
|
|
dispatch.earliest_time = -1d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[who]
|
|
disabled = 1
|
|
search = `os_index` `who_sourcetype`
|
|
dispatch.earliest_time = -1d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[usersWithLoginPrivs]
|
|
disabled = 1
|
|
search = `os_index` `users_with_login_privs_sourcetype`
|
|
dispatch.earliest_time = -1d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[lastlog]
|
|
disabled = 1
|
|
search = `os_index` `lastlog_sourcetype`
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[interfaces]
|
|
disabled = 1
|
|
search = `os_index` `interfaces_sourcetype`
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[cpu]
|
|
disabled = 1
|
|
search = `os_index` `cpu_sourcetype`
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[rlog]
|
|
disabled = 1
|
|
search = `os_index` `rlog_sourcetype`
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
[package]
|
|
disabled = 1
|
|
search = `os_index` `package_sourcetype`
|
|
dispatch.earliest_time = -1d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
|
|
#############################################
|
|
## User Searches
|
|
#############################################
|
|
[User Sessions]
|
|
disabled = 1
|
|
search = `User_Sessions_by_Host(*)`
|
|
dispatch.earliest_time = -7d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[Failed Logins]
|
|
disabled = 1
|
|
search = `Failed_Logins_by_Host(*)`
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[User Add]
|
|
disabled = 1
|
|
search = `os_index` `user_add`
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[User Delete]
|
|
disabled = 1
|
|
search = `os_index` `user_del`
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[Group Add]
|
|
disabled = 1
|
|
search = `os_index` `group_add`
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[Group Delete]
|
|
disabled = 1
|
|
search = `os_index` `group_del`
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[Password Change]
|
|
disabled = 1
|
|
search = `os_index` `password_change`
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[Password Change Failed]
|
|
disabled = 1
|
|
search = `os_index` `password_change_failed`
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[Failed Attempts at SU]
|
|
disabled = 1
|
|
search = `os_index` `su_failed`
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
#############################################
|
|
## Network Searches
|
|
#############################################
|
|
|
|
[Thruput by Interface and Host (UNIX - NET)]
|
|
disabled = 1
|
|
search = `Thruput_by_Interface_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[Frequently Opened Ports (UNIX - NET)]
|
|
disabled = 1
|
|
search = `Frequently_Open_Ports_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[Top Inet Addresses by Host (UNIX - NET)]
|
|
disabled = 1
|
|
search = `Top_Inet_Addresses_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[Open Ports (UNIX - NET)]
|
|
disabled = 1
|
|
search = `Open_Ports_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[Addresses Connected To (UNIX - NET)]
|
|
disabled = 1
|
|
search = `Addresses_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[Sockets by State (UNIX - NET)]
|
|
disabled = 1
|
|
search = `Sockets_by_State_by_Host(*)`
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
#------ old searches
|
|
[Top 10 Users by Virtual Memory Last Hour (UNIX - MEM)]
|
|
disabled = 1
|
|
search = `os_index` `ps_sourcetype` | timechart avg(VSZ_KB) by USER useother=F limit=10
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[Virtual Memory Subsystem Stats (UNIX - MEM)]
|
|
disabled = 1
|
|
search = `os_index` `memory_sourcetype` | fields + total_memory,used_memory,active_memory,inactive_memory,free_memory,buffer_memory,swap_cache,total_swap,used_swap,free_swap,pages_paged_in,pages_paged_out,pages_swapped_in,pages_swapped_out
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
|
|
[Memory Usage over Last 3 Hours (UNIX - MEM)]
|
|
disabled = 1
|
|
search = `os_index` `memory_sourcetype` | timechart avg(memUsedPct) avg(memFreePct) | rename avg(memUsedPct) as "Used Mem", avg(memFreePct) as Free_Mem
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -3h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[Avg Resident Memory by Process Last 3 Hours (UNIX - MEM)]
|
|
disabled = 1
|
|
search = `os_index` `ps_sourcetype` | stats sum(RSZ_KB) as total_mem by COMMAND, _time | timechart avg(total_mem) by COMMAND
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -3h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
[Avg Virtual Memory by Process Last 3 Hours (UNIX - MEM)]
|
|
disabled = 1
|
|
search = `os_index` `ps_sourcetype` | stats sum(VSZ_KB) as total_mem by COMMAND, _time | timechart avg(total_mem) by COMMAND
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -3h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
displayview = charting
|
|
relation = None
|
|
|
|
########################################################
|
|
## Package Saved Searches
|
|
#######################################################
|
|
[Latest Packages by Host]
|
|
disabled = 1
|
|
search = `os_index` `package_sourcetype` | dedup host
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[Hardware Configurations by Host]
|
|
disabled = 1
|
|
search = `os_index` `hardware_sourcetype` | dedup host
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
#########################################################
|
|
## Utility Saved Searches
|
|
#########################################################
|
|
[UNIX - All Logs]
|
|
disabled = 1
|
|
search = | metadata type=sources `metadata_index` | typer | search eventtype=nix-all-logs
|
|
dispatch.earliest_time = -15m
|
|
|
|
[UNIX - All Configs]
|
|
disabled = 1
|
|
search = | metadata type=sources `metadata_index` | typer | search eventtype=nix_configs
|
|
|
|
[UNIX - Timechart Errors Or Critical]
|
|
disabled = 1
|
|
search = `os_index` `unix_errors` | strcat source "@" host changelist | timechart count by changelist
|
|
|
|
[UNIX - Timechart Config Changes]
|
|
disabled = 1
|
|
search = `os_index` eventtype="nix_configs" | strcat source "@" host changelist | timechart count by changelist
|
|
|
|
##########################################################
|
|
## Alerts
|
|
##########################################################
|
|
|
|
[Alert - syslog errors last hour]
|
|
disabled = 1
|
|
action_rss = 0
|
|
counttype = number of events
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
role = Admin
|
|
schedule = 0 * * * *
|
|
search = `syslog_sourcetype` `syslog_errors` | fields +_raw
|
|
sendresults = 1
|
|
userid = 1
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = +0s
|
|
|
|
##########################################################
|
|
# Home Screen (and Home Fullscreen)
|
|
##########################################################
|
|
|
|
[Dropdown Lookup - Dimension]
|
|
disabled = 1
|
|
search = |inputlookup dropdowns.csv | stats count by unix_category
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -15m
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
[Dropdown Lookup - Group]
|
|
disabled = 1
|
|
search = |inputlookup dropdowns.csv | search $unix_category$ | stats count by unix_group
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -15m
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
##########################################################
|
|
## Metrics
|
|
##########################################################
|
|
|
|
[Metrics Selectable Lookup]
|
|
disabled = 1
|
|
search = | inputlookup dropdowns.csv | stats values(host) as host by unix_category unix_group
|
|
action.email.sendresults = 0
|
|
dispatch.earliest_time = -15m
|
|
dispatch.latest_time = +0s
|
|
dispatch.ttl = 3600
|
|
|
|
##########################################################
|
|
## Old Searches
|
|
##########################################################
|
|
|
|
[UNIX - Perf - ps mem by cmd]
|
|
disabled = 1
|
|
search = `os_index` `ps_sourcetype` | timechart avg(RSZ_KB) by COMMAND
|
|
dispatch.earliest_time = -3h
|
|
|
|
[UNIX - Perf - cpu by cmd]
|
|
disabled = 1
|
|
search = `os_index` `top_sourcetype` | timechart avg(pctCPU) by COMMAND
|
|
dispatch.earliest_time = -15m
|
|
|
|
[UNIX - Perf - iostat blk rw sec]
|
|
disabled = 1
|
|
search = `os_index` `iostat_sourcetype` | timechart avg(rReq_PS) avg(wReq_PS)
|
|
dispatch.earliest_time = -60m
|
|
|
|
[UNIX - Perf - iostat blk wr sec by host]
|
|
disabled = 1
|
|
search = `os_index` `iostat_sourcetype` | timechart avg(wReq_PS) by host
|
|
dispatch.earliest_time = -60m
|
|
|
|
[UNIX - System - lsof open files by user]
|
|
disabled = 1
|
|
search = `os_index` `lsof_sourcetype` | timechart count(USER) by USER
|
|
dispatch.earliest_time = -60m
|
|
|
|
[UNIX - System - netstat count by proto]
|
|
disabled = 1
|
|
search = `os_index` `netstat_sourcetype` | multikv | timechart count(Proto) by Proto
|
|
dispatch.earliest_time = -60m
|
|
|
|
[UNIX - System - netstat count by type]
|
|
disabled = 1
|
|
search = `os_index` `netstat_sourcetype` | multikv | timechart count(Type) by Type
|
|
dispatch.earliest_time = -60m
|
|
|
|
[UNIX - Perf - ps cpu by command]
|
|
disabled = 1
|
|
search = `os_index` `ps_sourcetype` | timechart avg(pctCPU) by COMMAND
|
|
dispatch.earliest_time = -60m
|
|
|
|
[UNIX - Perf - ps rss mem by user]
|
|
disabled = 1
|
|
search = `os_index` `ps_sourcetype` | chart avg(RSZ_KB) by USER
|
|
dispatch.earliest_time = -60m
|
|
|
|
[UNIX - Perf - ps rss mem by command]
|
|
disabled = 1
|
|
search = `os_index` `ps_sourcetype` | timechart avg(RSZ_KB) by COMMAND
|
|
dispatch.earliest_time = -60m
|
|
|
|
[UNIX - Perf - top cpu by host]
|
|
disabled = 1
|
|
search = `os_index` `top_sourcetype` | timechart avg(pctCPU) by host
|
|
dispatch.earliest_time = -15m
|
|
|
|
[UNIX - Perf - top rss mem vs command]
|
|
disabled = 1
|
|
search = `os_index` `top_sourcetype` | timechart avg(RSZ_KB) by COMMAND
|
|
dispatch.earliest_time = -15m
|
|
|
|
[UNIX - System - vmstat free mem by host]
|
|
disabled = 1
|
|
search = `os_index` `memory_sourcetype` | timechart avg(memFreeMB) by host
|
|
dispatch.earliest_time = -15m
|
|
|
|
[UNIX - System - vmstat total mem by host]
|
|
disabled = 1
|
|
search = `os_index` `memory_sourcetype` | timechart avg(memTotalMB) by host
|
|
dispatch.earliest_time = -3h
|
|
|
|
[UNIX - Home - memory used by host realtime]
|
|
disabled = 1
|
|
search = `os_index` `memory_sourcetype` | stats latest(memUsedPct) as avg_memUsedPct by host
|
|
|
|
[UNIX - Home - cpu used by host realtime]
|
|
disabled = 1
|
|
search = `os_index` `cpu_sourcetype` | eval pctUsed = 100-pctIdle | stats median(pctUsed) by host
|
|
|
|
[alerts_fired]
|
|
action.email.reportServerEnabled = 0
|
|
alert.track = 0
|
|
disabled = 1
|
|
#dispatch.earliest_time = -24h@h
|
|
dispatch.earliest_time = 0
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
request.ui_dispatch_view = flashtimeline
|
|
search = `cp-unix-dashboards-audit-index` action=alert_fired | table _time ss_name host alert_actions severity triggered_alerts triggered_time sid
|
|
|
|
[fired_alerts]
|
|
action.email.inline = 1
|
|
action.email.reportServerEnabled = 0
|
|
alert.digest_mode = False
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
auto_summarize.dispatch.earliest_time = -1d@h
|
|
cron_schedule = */5 * * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -5m@m
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
enableSched = 1
|
|
search = | rest /services/search/jobs | search [search `cp-unix-dashboards-audit-index` action=alert_fired | fields sid] | collect `cp-unix-dashboards-firedalerts-index`
|
|
|
|
[Memory_Exceeds_MB_by_Process]
|
|
action.summary_index = 1
|
|
action.summary_index.marker = unix_aggregated_alerts
|
|
action.summary_index._name = unix_summary
|
|
alert.digest_mode = True
|
|
alert.expires = 1d
|
|
alert.suppress = 1
|
|
alert.suppress.period = 1m
|
|
alert.track = 1
|
|
auto_summarize.dispatch.earliest_time = -5m@m
|
|
cron_schedule = */5 * * * *
|
|
counttype = number of events
|
|
disabled = 1
|
|
dispatch.earliest_time = -5m@m
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
enableSched = 1
|
|
quantity = 1
|
|
relation = greater than
|
|
search = `Memory_Exceeds_MB_by_Process("`_unix_alert_threshold_Memory_Exceeds_MB_by_Process`")`
|
|
|
|
[Memory_Exceeds_Percent_by_Host]
|
|
action.summary_index = 1
|
|
action.summary_index.marker = unix_aggregated_alerts
|
|
action.summary_index._name = unix_summary
|
|
alert.digest_mode = True
|
|
alert.expires = 1d
|
|
alert.suppress = 1
|
|
alert.suppress.period = 1m
|
|
alert.track = 1
|
|
auto_summarize.dispatch.earliest_time = -5m@m
|
|
cron_schedule = */5 * * * *
|
|
counttype = number of events
|
|
disabled = 1
|
|
dispatch.earliest_time = -5m@m
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
enableSched = 1
|
|
quantity = 1
|
|
relation = greater than
|
|
search = `Memory_Exceeds_Percent_by_Host("`_unix_alert_threshold_Memory_Exceeds_Percent_by_Host`")`
|
|
|
|
[Memory_Exceeds_MB_by_Host]
|
|
action.summary_index = 1
|
|
action.summary_index.marker = unix_aggregated_alerts
|
|
action.summary_index._name = unix_summary
|
|
alert.digest_mode = True
|
|
alert.expires = 1d
|
|
alert.suppress = 1
|
|
alert.suppress.period = 1m
|
|
alert.track = 1
|
|
auto_summarize.dispatch.earliest_time = -5m@m
|
|
cron_schedule = */5 * * * *
|
|
counttype = number of events
|
|
disabled = 1
|
|
dispatch.earliest_time = -5m@m
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
enableSched = 1
|
|
quantity = 1
|
|
relation = greater than
|
|
search = `Memory_Exceeds_MB_by_Host("`_unix_alert_threshold_Memory_Exceeds_MB_by_Host`")`
|
|
|
|
[CPU_Exceeds_Percent_by_Host]
|
|
action.summary_index = 1
|
|
action.summary_index.marker = unix_aggregated_alerts
|
|
action.summary_index._name = unix_summary
|
|
alert.digest_mode = True
|
|
alert.expires = 1d
|
|
alert.suppress = 1
|
|
alert.suppress.period = 1m
|
|
alert.track = 1
|
|
auto_summarize.dispatch.earliest_time = -5m@m
|
|
cron_schedule = */5 * * * *
|
|
counttype = number of events
|
|
disabled = 1
|
|
dispatch.earliest_time = -5m@m
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
enableSched = 1
|
|
quantity = 1
|
|
relation = greater than
|
|
search = `CPU_Exceeds_Percent_by_Host("`_unix_alert_threshold_CPU_Exceeds_Percent_by_Host`")`
|
|
|
|
[CPU_Under_Percent_by_Host]
|
|
action.summary_index = 1
|
|
action.summary_index.marker = unix_aggregated_alerts
|
|
action.summary_index._name = unix_summary
|
|
alert.digest_mode = True
|
|
alert.expires = 1d
|
|
alert.suppress = 1
|
|
alert.suppress.period = 1m
|
|
alert.track = 1
|
|
auto_summarize.dispatch.earliest_time = -5m@m
|
|
cron_schedule = */5 * * * *
|
|
counttype = number of events
|
|
disabled = 1
|
|
dispatch.earliest_time = -5m@m
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
enableSched = 1
|
|
quantity = 1
|
|
relation = greater than
|
|
search = `CPU_Under_Percent_by_Host("`_unix_alert_threshold_CPU_Under_Percent_by_Host`")`
|
|
|
|
[Load_Exceeds_by_Host]
|
|
action.summary_index = 1
|
|
action.summary_index.marker = unix_aggregated_alerts
|
|
action.summary_index._name = unix_summary
|
|
alert.digest_mode = True
|
|
alert.expires = 1d
|
|
alert.suppress = 1
|
|
alert.suppress.period = 1m
|
|
alert.track = 1
|
|
auto_summarize.dispatch.earliest_time = -5m@m
|
|
cron_schedule = */5 * * * *
|
|
counttype = number of events
|
|
disabled = 1
|
|
dispatch.earliest_time = -5m@m
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
enableSched = 1
|
|
quantity = 1
|
|
relation = greater than
|
|
search = `Load_Exceeds_by_Host("`_unix_alert_threshold_Load_Exceeds_by_Host`")`
|
|
|
|
[Threads_Exceeds_by_Host]
|
|
action.summary_index = 1
|
|
action.summary_index.marker = unix_aggregated_alerts
|
|
action.summary_index._name = unix_summary
|
|
alert.digest_mode = True
|
|
alert.expires = 1d
|
|
alert.suppress = 1
|
|
alert.suppress.period = 1m
|
|
alert.track = 1
|
|
auto_summarize.dispatch.earliest_time = -5m@m
|
|
cron_schedule = */5 * * * *
|
|
counttype = number of events
|
|
disabled = 1
|
|
dispatch.earliest_time = -5m@m
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
enableSched = 1
|
|
quantity = 1
|
|
relation = greater than
|
|
search = `Threads_Exceeds_by_Host("`_unix_alert_threshold_Threads_Exceeds_by_Host`")`
|
|
|
|
[Processes_Exceeds_by_Host]
|
|
action.summary_index = 1
|
|
action.summary_index.marker = unix_aggregated_alerts
|
|
action.summary_index._name = unix_summary
|
|
alert.digest_mode = True
|
|
alert.expires = 1d
|
|
alert.suppress = 1
|
|
alert.suppress.period = 1m
|
|
alert.track = 1
|
|
auto_summarize.dispatch.earliest_time = -5m@m
|
|
cron_schedule = */5 * * * *
|
|
counttype = number of events
|
|
disabled = 1
|
|
dispatch.earliest_time = -5m@m
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
enableSched = 1
|
|
quantity = 1
|
|
relation = greater than
|
|
search = `Processes_Exceeds_by_Host("`_unix_alert_threshold_Processes_Exceeds_by_Host`")`
|
|
|
|
[Disk_Used_Exceeds_Percent_by_Host]
|
|
action.summary_index = 1
|
|
action.summary_index.marker = unix_aggregated_alerts
|
|
action.summary_index._name = unix_summary
|
|
alert.digest_mode = True
|
|
alert.expires = 1d
|
|
alert.suppress = 1
|
|
alert.suppress.period = 1m
|
|
alert.track = 1
|
|
auto_summarize.dispatch.earliest_time = -5m@m
|
|
cron_schedule = */5 * * * *
|
|
counttype = number of events
|
|
disabled = 1
|
|
dispatch.earliest_time = -5m@m
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
enableSched = 1
|
|
quantity = 1
|
|
relation = greater than
|
|
search = `Disk_Used_Exceeds_Percent_by_Host("`_unix_alert_threshold_Disk_Used_Exceeds_Percent_by_Host`")`
|
|
|
|
[Open_Files_Exceeds_by_Process]
|
|
action.summary_index = 1
|
|
action.summary_index.marker = unix_aggregated_alerts
|
|
action.summary_index._name = unix_summary
|
|
alert.digest_mode = True
|
|
alert.expires = 1d
|
|
alert.suppress = 1
|
|
alert.suppress.period = 1m
|
|
alert.track = 1
|
|
auto_summarize.dispatch.earliest_time = -5m@m
|
|
cron_schedule = */5 * * * *
|
|
counttype = number of events
|
|
disabled = 1
|
|
dispatch.earliest_time = -5m@m
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
enableSched = 1
|
|
quantity = 1
|
|
relation = greater than
|
|
search = `Open_Files_Exceeds_by_Process("`_unix_alert_threshold_Open_Files_Exceeds_by_Process`")`
|
|
|
|
[IO_Wait_Exceeds_Threshold]
|
|
action.summary_index = 1
|
|
action.summary_index.marker = unix_aggregated_alerts
|
|
action.summary_index._name = unix_summary
|
|
alert.digest_mode = True
|
|
alert.expires = 1d
|
|
alert.suppress = 1
|
|
alert.suppress.period = 1m
|
|
alert.track = 1
|
|
auto_summarize.dispatch.earliest_time = -5m@m
|
|
cron_schedule = */5 * * * *
|
|
counttype = number of events
|
|
disabled = 1
|
|
dispatch.earliest_time = -5m@m
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
enableSched = 1
|
|
quantity = 1
|
|
relation = greater than
|
|
search = `IO_Wait_Exceeds_Threshold("`_unix_alert_threshold_IO_Wait_Exceeds_Threshold`")`
|
|
|
|
[IO_Utilization_Exceeds_Threshold]
|
|
action.summary_index = 1
|
|
action.summary_index.marker = unix_aggregated_alerts
|
|
action.summary_index._name = unix_summary
|
|
alert.digest_mode = True
|
|
alert.expires = 1d
|
|
alert.suppress = 1
|
|
alert.suppress.period = 1m
|
|
alert.track = 1
|
|
auto_summarize.dispatch.earliest_time = -5m@m
|
|
cron_schedule = */5 * * * *
|
|
counttype = number of events
|
|
disabled = 1
|
|
dispatch.earliest_time = -5m@m
|
|
dispatch.latest_time = now
|
|
displayview = flashtimeline
|
|
enableSched = 1
|
|
quantity = 1
|
|
relation = greater than
|
|
search = `IO_Utilization_Exceeds_Threshold("`_unix_alert_threshold_IO_Utilization_Exceeds_Threshold`")`
|
|
|
|
|
|
##########################################################
|
|
## Dropdown Lookup Migrator
|
|
##########################################################
|
|
[dropdowns_lookup_migrate]
|
|
disabled = 1
|
|
enableSched = 1
|
|
cron_schedule = */2 * * * *
|
|
description = This savedsearch is used to populate default data in dropdown lookup if the lookup is empty
|
|
dispatch.earliest_time = 0
|
|
dispatch.latest_time = now
|
|
run_on_startup = 1
|
|
run_n_times = 1
|
|
search = | inputlookup dropdowns.csv \
|
|
| stats count \
|
|
| where count=0 \
|
|
| eval host="*" \
|
|
| eval unix_category="all_hosts" \
|
|
| eval unix_group="default" \
|
|
| table host unix_category unix_group\
|
|
| outputlookup dropdowns.csv append=t |