############################################################ # Simple search used in Home page to show # numbers of hosts indexed within last 7 days ############################################################ # Since version 1.9.7, and for run time optimization purposes, we use link this search with a KVstore base lookup table # The lookup is used to store the state day after day, such that we can provide the same features that a full 7 days # time range but having a search running on the current day only # At large scale, the original tstats search could run up to 30 seconds which is too much for a good user experience # As such, the number of hosts reported is the global number of hosts and linked anymore to the user context. [Hosts with data within last 7 days] dispatch.earliest_time = -1d@d dispatch.latest_time = now display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.singlevalue.colorBy = trend display.visualizations.singlevalue.rangeColors = ["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"] display.visualizations.singlevalue.rangeValues = [0,30,70,100] display.visualizations.singlevalue.trendInterval = auto display.visualizations.singlevalue.underLabel = Hosts with recent activity display.visualizations.singlevalue.useColors = 1 display.visualizations.singlevalueHeight = 173 display.visualizations.type = singlevalue search = | mstats count(_value) as count where `nmon_metrics_index` metric_name="os.unix.nmon.cpu.cpu_all.*" by host span=1d | stats dc(host) as dcount by _time\ | append\ [ | inputlookup nmon_hosts_last_7days ]\ | eval time_limit=relative_time(now(), "-7d@d")\ | where _time>time_limit\ | stats max(dcount) as dcount by _time\ | sort 0 _time # This scheduled report will fill the KVstore based lookup table for previous days [Hosts with data within last 7 days (fill the nmon_hosts_last_7days lookup)] cron_schedule = 1 * * * * dispatch.earliest_time = -7d@d dispatch.latest_time = now display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.singlevalue.colorBy = trend display.visualizations.singlevalue.rangeColors = ["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"] display.visualizations.singlevalue.rangeValues = [0,30,70,100] display.visualizations.singlevalue.trendInterval = auto display.visualizations.singlevalue.underLabel = Hosts with recent activity display.visualizations.singlevalue.useColors = 1 display.visualizations.singlevalueHeight = 173 display.visualizations.type = singlevalue enableSched = 1 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search schedule_window = 15 search = | mstats count(_value) as count where `nmon_metrics_index` metric_name="os.unix.nmon.cpu.cpu_all.*" by host span=1d | stats dc(host) as dcount by _time\ | outputlookup nmon_hosts_last_7days | stats count ############################################################# # Total Cost of Ownership ############################################################# [Volume of data indexed within last 7 days] alert.digest_mode = 1 auto_summarize = 1 auto_summarize.dispatch.earliest_time = -7d@d dispatch.earliest_time = -7d@d dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics search = index=_internal source=*license_usage.log* type=Usage `nmon_idx`\ | bucket _time span=2m\ | stats sum(b) as volume by _time\ | eval volume=round((volume/1024/1024), 2)\ | where volume>0 [TCO - Volume indexing over time] action.email.useNSSubject = 1 alert.track = 0 description = Volume of data (GB) indexed per day dispatch.earliest_time = -30d dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = visualizations display.page.search.mode = fast display.page.search.tab = visualizations display.statistics.show = 0 display.visualizations.chartHeight = 565 display.visualizations.charting.legend.placement = top request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = index=_internal source=*license_usage.log* type=Usage `nmon_idx` | where b>0 | bucket _time span=1m | stats sum(b) AS b by _time,idx | timechart span=1d sum(b) AS b | eval volume_per_day_GB=round((b/1024/1024/1024),2) | eval user_is_admin=True | fields _time,volume_per_day_GB [TCO - Total Cost of Ownership per server] action.email.useNSSubject = 1 alert.track = 0 description = Total Cost of Ownership, per hour/server and estimated per day/server licencing cost dispatch.earliest_time = -7d@d dispatch.latest_time = @h display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.chartHeight = 565 display.visualizations.charting.chart = pie display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = index=_internal source=*license_usage.log* type=Usage `nmon_idx` | where b>0 | timechart span=1h sum(b) AS b | eval volume_MB = round(b/1024/1024,2) | fillnull value=0\ | appendcols [ | mstats max(_value) as value where `nmon_metrics_index` metric_name=os.unix.nmon.cpu.cpu_all.logical_cpus by host span=1h\ | stats dc(host) as dcount by _time ]\ | eval cost_per_server_MB=(volume_MB/dcount) | stats avg(cost_per_server_MB) AS cost_per_server_MB | eval cost_per_server_MB=round(cost_per_server_MB, 2), estimated_cost_per_server_MB=round(cost_per_server_MB*24, 2)\ | rename cost_per_server_MB AS "per hour/server cost in MB", estimated_cost_per_server_MB AS "estimated per day/server cost in MB" [TCO - Total Cost of Ownership of global indexing] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -7d@d dispatch.latest_time = @d display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.chartHeight = 565 display.visualizations.charting.chart = pie display.visualizations.show = 0 description = Average volume of data (GB) indexed per day request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = index=_internal source=*license_usage.log* type=Usage `nmon_idx` | where b>0 | timechart span=1d sum(b) AS b | fillnull value=0 | stats avg(b) AS avg_volume_per_day | eval avg_volume_per_day_GB=round((avg_volume_per_day/1024/1024/1024),2) | fields avg_volume_per_day_GB [TCO - Scheduling reporting] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -30d dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.chartHeight = 565 display.visualizations.charting.chart = pie display.visualizations.show = 0 description = Detailed reporting of scheduling searches cost request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = index=_internal host="*" source=*scheduler.log status="*" NOT (status="continued" OR status=delegated*) savedsearch_name!="*_ACCELERATE_*" app="nmon"\ | stats avg(run_time) AS avg_run_time, max(run_time) AS max_run_time, latest(run_time) AS latest_run_time, max(_time) AS "last_run (dd/mm/YYYY H:M:S)" by app,savedsearch_name\ | eval "last_run (dd/mm/YYYY H:M:S)"=strftime('last_run (dd/mm/YYYY H:M:S)', "%d/%m/%Y %H:%M:%S") | foreach *_run_time [ eval <>=round('<>', 2) ]\ | sort savedsearch_name | rename savedsearch_name AS "report (savedsearch_name)"\ | eval duration_avg=tostring(avg_run_time, "duration"), duration_max=tostring(max_run_time, "duration"), duration_latest=tostring(latest_run_time, "duration")\ | eval "Avg run time (seconds / duration)" = avg_run_time + " sec / " + duration_avg + " (HH:MM:SSS)"\ | eval "Max run time (seconds / duration)" = max_run_time + " sec / " + duration_avg + " (HH:MM:SSS)"\ | eval "Latest run time (seconds / duration)" = latest_run_time + " sec / " + duration_avg + " (HH:MM:SSS)"\ | fields app,report*,Avg*,Max*,Latest*,"last_run (dd/mm/YYYY H:M:S)" [TCO - Eventcount / Metadata Statistics: Indexes first and last event dates] action.email.useNSSubject = 1 alert.track = 0 description = Date of first and last event per sourcetype dispatch.earliest_time = 0 display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 565 display.visualizations.charting.chart = pie display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | `indexes_datestats` | eval show_eventcount=true | fields index,sourcetype,*Event [TCO - Index storage and buckets details] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 565 display.visualizations.charting.chart = pie display.visualizations.show = 0 description = Nmon index detailed statistics request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | dbinspect `nmon_index` | eval rawSize_MB=(rawSize/1024/1024) | stats sum(rawSize_MB) AS rawSize_MB, sum(sizeOnDiskMB) AS sizeOnDiskMB, dc(bucketId) AS dcount_bucket | eval compress_ratio = round(rawSize_MB / sizeOnDiskMB, 2)." : 1" | eval rawSize_GB=round(rawSize_MB/1024, 2), sizeOnDiskGB=round(sizeOnDiskMB/1024, 2) | eval avg_size_perbucket_GB=round(((sizeOnDiskMB/dcount_bucket)/1024), 2) ############################################################# # NMON Inventory ############################################################# # This report will generate the inventory lookup table used in many interfaces of the App. # We arbitrary only keep one result per day and per host of the nmon_config sourcetype, then we keep the last value by field in case of multiple values found, typically an hardware configuration # change [Generate NMON Inventory Lookup Table] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 auto_summarize = 0 auto_summarize.dispatch.earliest_time = cron_schedule = 0 * * * * description = Generation of NMON Inventory Lookup Table dispatch.earliest_time = -48h dispatch.latest_time = now dispatch.ttl = 3600 # Keep 1 hour this job artifact display.events.fields = ["host","source","sourcetype","hostname"] display.events.type = raw display.general.type = statistics display.statistics.drilldown = none display.statistics.rowNumbers = 1 display.visualizations.chartHeight = 420 display.visualizations.charting.chart = line display.visualizations.charting.chart.style = minimal display.visualizations.show = 0 display.visualizations.type = singlevalue enableSched = 1 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search schedule_window = 15 search = | `nmon_inventory_update`\ | append\ [ | inputlookup nmon_inventory ]\ | where OStype!="NA"\ | eval _time=strptime(reporting_date, "%m/%d/%Y %H:%M"), limit=relative_time(now(), "-30d@d")\ | where _time>=limit\ | stats latest(*) as "*" by hostname\ | fields - _time,limit\ | outputlookup nmon_inventory | stats count ############################################################# # NMON frameID mapping ############################################################# # Update the frameID mapping KVstore collection # This report runs every hour by default, in addition it will also run on Splunk startup to ensure # we populate the collection if required to prevent the frameID field from being null if not complete (this affects only SPL searches, not searches against data models) [Generate NMON frameID mapping lookup table] action.email.useNSSubject = 1 alert.track = 0 cron_schedule = 0 * * * * description = This scheduled report will update the frameID mapping KVstore collection dispatch.earliest_time = -7d@h dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.statistics.drilldown = none display.visualizations.chartHeight = 524 display.visualizations.charting.chart = line display.visualizations.show = 0 display.visualizations.type = singlevalue enableSched = 1 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search schedule_window = 5 run_on_startup = true search = | mcatalog values(serialnum) as serials where `nmon_metrics_index` metric_name=os.unix.nmon.cpu.cpu_all.logical_cpus by host\ | rename serials as serialnum\ | lookup nmon_frameID_mapping host as host OUTPUT frameID\ | eval frameID=if(isnull(frameID), serialnum, frameID)\ | fields frameID, serialnum, host\ | lookup nmon_frameID_mapping serialnum AS serialnum, host as host OUTPUT host_description as host_description\ | fillnull value="none"\ | fields frameID,serialnum,host,host_description\ | search NOT [ | inputlookup nmon_frameID_mapping | fields host ]\ | outputlookup nmon_frameID_mapping append=t key_field=_key\ | stats count ############################################################# # NMON Baseline ############################################################# # These reports will generate the Nmon baseline and store results in nmon_baseline KV Store collections # By default, schedules runs every sunday starting at midnight [Generate NMON Baseline KV Collection for CPU_ALL] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 cron_schedule = 0 0 * * 0 dispatch.earliest_time = -3mon@d dispatch.latest_time = @d dispatch.ttl = 3600 # Keep 1 hour this job artifact display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.enablePreview = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 563 display.visualizations.charting.chart = line display.visualizations.show = 0 enableSched = 1 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search schedule_window = 60 search = | mstats avg(_value) as value where `nmon_metrics_index` (metric_name=os.unix.nmon.cpu.cpu_all.Sys_PCT OR metric_name=os.unix.nmon.cpu.cpu_all.User_PCT OR metric_name=os.unix.nmon.cpu.cpu_all.Wait_PCT) by metric_name, host span=5m\ | `def_cpu_load_percent`\ | `mapping_frameID`\ | rename host as hostname\ | fields _time, frameID, hostname, cpu_load_percent\ | where isnotnull(cpu_load_percent)\ | eval date_wday=lower(strftime('_time', "%A")), local_time=strftime('_time', "%H%M")\ | stats perc05(cpu_load_percent) AS lower_baseline_avg_cpu, avg(cpu_load_percent) AS baseline_avg_cpu, perc95(cpu_load_percent) AS upper_baseline_avg_cpu by date_wday,local_time,frameID,hostname\ | foreach *baseline* [ eval <> = round(<>, 2) ]\ | eval ID=frameID + "_" + hostname + "_" + date_wday + "_" + local_time | table ID, date_wday, local_time, frameID, hostname, *\ | eval _key=ID\ | outputlookup nmon_baseline_CPU_ALL | stats count [Generate NMON Baseline KV Collection for LPAR] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 cron_schedule = 0 1 * * 0 dispatch.earliest_time = -3mon@d dispatch.latest_time = @d dispatch.ttl = 3600 # Keep 1 hour this job artifact display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.enablePreview = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 563 display.visualizations.charting.chart = line display.visualizations.show = 0 enableSched = 1 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search schedule_window = 60 search = | mstats avg(_value) as value where `nmon_metrics_index` metric_name=os.unix.nmon.cpu.lpar.* by OStype, metric_name, host span=5m\ | `def_all_os_lpar_load_and_pool_load_cores`\ | `mapping_frameID`\ | rename host AS hostname\ | fields _time, frameID, hostname, lpar_load_cores, lpar_pool_vp_usage\ | where isnotnull(lpar_load_cores)\ | eval date_wday=lower(strftime('_time', "%A")), local_time=strftime('_time', "%H%M")\ | stats\ perc05(lpar_load_cores) AS lower_baseline_avg_vp_usage, avg(lpar_load_cores) AS baseline_avg_vp_usage, perc95(lpar_load_cores) AS upper_baseline_avg_vp_usage,\ perc05(lpar_pool_vp_usage) AS lower_baseline_avg_pool_usage, avg(lpar_pool_vp_usage) AS baseline_avg_pool_usage, perc95(lpar_pool_vp_usage) AS upper_baseline_avg_pool_usage,\ by date_wday,local_time,frameID,hostname\ | foreach *baseline* [ eval <> = round(<>, 2) ] \ | eval ID=frameID + "_" + hostname + "_" + date_wday + "_" + local_time | fields ID, date_wday, local_time, frameID, hostname, *\ | eval _key=ID\ | outputlookup nmon_baseline_LPAR | stats count [Generate NMON Baseline KV Collection for MEM] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 cron_schedule = 0 2 * * 0 dispatch.earliest_time = -3mon@d dispatch.latest_time = @d dispatch.ttl = 3600 # Keep 1 hour this job artifact display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.enablePreview = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 563 display.visualizations.charting.chart = line display.visualizations.show = 0 enableSched = 1 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search schedule_window = 60 search = | mstats avg(_value) as value where `nmon_metrics_index` `def_memory_all_os_metric_filters` by OStype, metric_name, host span=5m\ | `def_memory_load_percent`\ | `mapping_frameID`\ | rename host AS hostname\ | fields _time, frameID, hostname, mem_used_effective_PCT, swap_used_effective_PCT\ | where isnotnull(mem_used_effective_PCT)\ | eval date_wday=lower(strftime('_time', "%A")), local_time=strftime('_time', "%H%M")\ | stats\ perc05(mem_used_effective_PCT) AS lower_baseline_avg_real_mem, avg(mem_used_effective_PCT) AS baseline_avg_real_mem, perc95(mem_used_effective_PCT) AS upper_baseline_avg_real_mem,\ perc05(swap_used_effective_PCT) AS lower_baseline_avg_virtual_mem, avg(swap_used_effective_PCT) AS baseline_avg_virtual_mem, perc95(swap_used_effective_PCT) AS upper_baseline_avg_virtual_mem,\ by date_wday,local_time,frameID,hostname\ | foreach *baseline* [ eval <> = round(<>, 2) ]\ | outputlookup nmon_baseline_MEM | stats count [Generate NMON Baseline KV Collection for DISKXFER] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 cron_schedule = 0 3 * * 0 dispatch.earliest_time = -3mon@d dispatch.latest_time = @d dispatch.ttl = 3600 # Keep 1 hour this job artifact display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.enablePreview = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 563 display.visualizations.charting.chart = line display.visualizations.show = 0 enableSched = 1 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search schedule_window = 60 search = | mstats avg(_value) as value where `nmon_metrics_index` metric_name=os.unix.nmon.storage.diskxfer OR metric_name=os.unix.nmon.storage.dgxfer by metric_name, host span=1m\ | `extract_metrics`\ | eval diskxfer_iops=case(metric_name=="os.unix.nmon.storage.diskxfer", value), dgxfer_iops=case(metric_name=="os.unix.nmon.storage.dgxfer", value)\ | stats max(diskxfer_iops) as diskxfer_iops, max(dgxfer_iops) as dgxfer_iops by _time, host\ | eval iops=if(isnum(dgxfer_iops), dgxfer_iops, diskxfer_iops)\ | bucket _time span=5m\ | stats avg(iops) as iops by _time, host\ | `mapping_frameID`\ | rename host AS hostname\ | where isnotnull(iops)\ | eval date_wday=lower(strftime('_time', "%A")), local_time=strftime('_time', "%H%M")\ | stats perc05(iops) AS lower_baseline_avg_disk_iops, avg(iops) AS baseline_avg_disk_iops, perc95(iops) AS upper_baseline_avg_disk_iops by date_wday,local_time,frameID,hostname\ | foreach *baseline* [ eval <> = round(<>, 2) ]\ | eval ID=frameID + "_" + hostname + "_" + date_wday + "_" + local_time | fields ID, date_wday, local_time, frameID, hostname, *\ | eval _key=ID\ | outputlookup nmon_baseline_DISKXFER | stats count #################################################################### # Number of notable events in data processing and collect #################################################################### [Number of notable events in Data Processing or Data Collect since last 24 Hours] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 auto_summarize = 1 auto_summarize.dispatch.earliest_time = -1d@h dispatch.earliest_time = -24h dispatch.latest_time = now dispatch.ttl = 600 # Keep 10m this job artifact display.general.type = statistics display.page.search.mode = fast display.statistics.drilldown = none display.statistics.rowNumbers = 1 display.visualizations.chartHeight = 420 display.visualizations.charting.chart.style = minimal display.visualizations.show = 0 display.visualizations.singlevalue.rangeColors = ["0x555","0xf58f39"] display.visualizations.singlevalue.rangeValues = [0] display.visualizations.singlevalue.unit = notable events reported display.visualizations.singlevalue.useColors = 1 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = (eventtype=nmon:processing OR eventtype=nmon:collect error) OR (index=_internal sourcetype=splunkd ERROR ExecProcessor nmon) NOT ("There is no python in" OR "python: not found") | stats count ############################################################# # NMON Processing Errors ############################################################# [Errors in NMON Data Processing] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","hostname"] display.events.type = raw display.statistics.drilldown = none display.statistics.rowNumbers = 1 display.visualizations.chartHeight = 420 display.visualizations.charting.chart = line display.visualizations.charting.chart.style = minimal display.visualizations.show = 0 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = eventtype=nmon:processing error ############################################################# # NMON Collect Errors ############################################################# [Errors in NMON Data Collect] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","hostname"] display.events.type = raw display.statistics.drilldown = none display.statistics.rowNumbers = 1 display.visualizations.chartHeight = 420 display.visualizations.charting.chart = line display.visualizations.charting.chart.style = minimal display.visualizations.show = 0 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = eventtype=nmon:collect error ############################################################# # NMON Collect Activity ############################################################# [Activity of NMON Data Collect] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","hostname"] display.events.type = raw display.general.type = statistics display.statistics.drilldown = none display.statistics.rowNumbers = 1 display.visualizations.chartHeight = 420 display.visualizations.charting.chart = line display.visualizations.charting.chart.style = minimal display.visualizations.show = 0 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = eventtype=nmon:collect | table _time,host,_raw | rename _raw as event ############################################################# # NMON Processing Activity ############################################################# [Activity of NMON Data Processing] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","hostname"] display.events.type = raw display.general.type = statistics display.statistics.drilldown = none display.statistics.rowNumbers = 1 display.visualizations.chartHeight = 420 display.visualizations.charting.chart = line display.visualizations.charting.chart.style = minimal display.visualizations.show = 0 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = eventtype=nmon:processing | stats values(hostname) As "hostname (Nmon host)", values(_raw) As event by _time,host | rename host As "host (collecter)" | sort - _time ############################################################# # NMON Activity - Splunkd events ############################################################# [Activity of NMON - Splunkd events] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","hostname"] display.events.type = raw display.statistics.drilldown = none display.statistics.rowNumbers = 1 display.visualizations.chartHeight = 420 display.visualizations.charting.chart.style = minimal display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = index=_internal sourcetype=splunkd nmon *Processor ############################################################# # NMON Report Inventory ############################################################# [NMON Inventory Solaris] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 display.events.fields = ["host","source","sourcetype","hostname"] display.events.type = raw display.general.type = statistics display.statistics.drilldown = none display.statistics.rowNumbers = 1 display.visualizations.chartHeight = 420 display.visualizations.charting.chart = line display.visualizations.charting.chart.style = minimal display.visualizations.show = 0 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | inputlookup nmon_inventory | search OStype=Solaris\ | fields hostname,OStype,Solaris_sunOS_version,Solaris_version,cpu_cores,Processor,Solaris_processor_clockspeed,Physical_mem_MB,Virtual_mem_MB,nmon_version,uptime_duration,system_startup_date,reporting_date [NMON Inventory Linux] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 display.events.fields = ["host","source","sourcetype","hostname"] display.events.type = raw display.general.type = statistics display.statistics.drilldown = none display.statistics.rowNumbers = 1 display.visualizations.chartHeight = 420 display.visualizations.charting.chart = line display.visualizations.charting.chart.style = minimal display.visualizations.show = 0 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | inputlookup nmon_inventory | search OStype=Linux\ | fields hostname,OStype,cpu_cores,Processor,Physical_mem_MB,Virtual_mem_MB,Linux_distribution,Linux_kernelversion,nmon_version,uptime_duration,system_startup_date,reporting_date [NMON Inventory AIX] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 display.events.fields = ["host","source","sourcetype","hostname"] display.events.type = raw display.general.type = statistics display.statistics.drilldown = none display.statistics.rowNumbers = 1 display.visualizations.chartHeight = 420 display.visualizations.charting.chart = line display.visualizations.charting.chart.style = minimal display.visualizations.show = 0 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | inputlookup nmon_inventory | search OStype=AIX\ | fields hostname,OStype,AIX_Machine_SerialNumber,AIX_LEVEL,AIX_virtualcpus,AIX_logicalcores,AIX_entitled,Processor,Physical_mem_MB,Virtual_mem_MB,AIX_processor_mode,AIX_processor_clockspeed,AIX_cpu_type,AIX_kernel_type,AIX_plateform_firmware_level,nmon_version,AIX_PoolID,AIX_system_installed_CPUs,AIX_system_active_CPUs,AIX_PoolCPUs,uptime_duration,system_startup_date,reporting_date ############################################################# # NMON Alerting ############################################################# [NMON - file-systems under saturation] action.email = 0 action.email.include.trigger_time = 1 action.email.inline = 1 action.email.priority = 2 action.email.reportServerEnabled = 0 action.email.sendresults = 0 action.email.useNSSubject = 1 alert.digest_mode = 0 alert.severity = 4 alert.suppress = 1 alert.suppress.fields = fs_uuid alert.suppress.period = 60m alert.track = 1 counttype = number of events cron_schedule = */5 * * * * description = This alert will trigger hosts having a file-system under a superior saturation to the alert level configured for a duration higher or equal to the minimum configured consecutive time in seconds. (applicable for all OS) dispatch.earliest_time = -60m dispatch.latest_time = now dispatch.ttl = 600 # Keep 10m this job artifact display.events.fields = ["host","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 571 display.visualizations.charting.chart = bar enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search schedule_window = 5 search = | `alerting_filesystem_usage` [NMON - physical memory usage saturation] action.email = 0 action.email.include.trigger_time = 1 action.email.inline = 1 action.email.priority = 2 action.email.reportServerEnabled = 0 action.email.sendresults = 0 action.email.useNSSubject = 1 alert.digest_mode = 0 alert.severity = 4 alert.suppress = 1 alert.suppress.fields = frameID,host alert.suppress.period = 60m alert.track = 1 counttype = number of events cron_schedule = */5 * * * * description = This alert will trigger hosts having a physical memory usage superior to the alert level configured for a duration higher or equal to the minimum configured consecutive time in seconds. (applicable for all OS) dispatch.earliest_time = -60m dispatch.latest_time = now dispatch.ttl = 600 # Keep 10m this job artifact display.events.fields = ["host","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 571 display.visualizations.charting.chart = bar enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search schedule_window = 5 search = | `alerting_realmemory_usage` [NMON - virtual usage saturation] action.email = 0 action.email.include.trigger_time = 1 action.email.inline = 1 action.email.priority = 2 action.email.reportServerEnabled = 0 action.email.sendresults = 0 action.email.useNSSubject = 1 alert.digest_mode = 0 alert.severity = 4 alert.suppress = 1 alert.suppress.fields = frameID,host alert.suppress.period = 60m alert.track = 1 counttype = number of events cron_schedule = 1-59/5 * * * * description = This alert will trigger hosts having a virtual memory usage superior to the alert level configured for a duration higher or equal to the minimum configured consecutive time in seconds. (applicable for all OS) dispatch.earliest_time = -60m dispatch.latest_time = now dispatch.ttl = 600 # Keep 10m this job artifact display.events.fields = ["host","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 571 display.visualizations.charting.chart = bar enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search schedule_window = 5 search = | `alerting_virtualmemory_usage` [NMON - cpu usage saturation] action.email = 0 action.email.include.trigger_time = 1 action.email.inline = 1 action.email.priority = 2 action.email.reportServerEnabled = 0 action.email.sendresults = 0 action.email.useNSSubject = 1 alert.digest_mode = 0 alert.severity = 4 alert.suppress = 1 alert.suppress.fields = frameID,host alert.suppress.period = 60m alert.track = 1 counttype = number of events cron_schedule = 2-59/5 * * * * dispatch.ttl = 600 # Keep 10m this job artifact description = This alert will trigger hosts having a cpu usage superior to the alert level configured for a duration higher or equal to the minimum configured consecutive time in seconds. (applicable for all OS) dispatch.earliest_time = -60m dispatch.latest_time = now display.events.fields = ["host","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 571 display.visualizations.charting.chart = bar enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search schedule_window = 5 search = | `alerting_cpu_usage` ############################################################# # Indexes stats ############################################################# [Dates of first and last event within indexes] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 565 display.visualizations.charting.chart = pie display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = pivot search = | `indexes_datestats` | eval summary='First Event' . " - " . 'Last Event' | fields summary ############################################################# # TA-NMON Agent Reporting ############################################################# [Add-on version per host] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 565 display.visualizations.charting.chart = pie display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = pivot search = | pivot metricator-nmon-processing NMON_Processing latest(addon_type) AS "addon_type" latest(addon_version) AS "addon_version" latest(_time) AS "latest_time" SPLITROW host AS host SORT 0 host ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1\ | eval addon_version = if(isnotnull(addon_version), addon_version, "previous_to_1.2.45"), addon_type = if(isnotnull(addon_type), addon_type, "Undefined") [TA-metricator package deployment reporting (requires _internal access)] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.visualizations.chartHeight = 577 display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = index="_internal" sourcetype="splunkd" source="*/splunkd.log" "DeployedApplication - Installing app=*nmon*" [List of interpreter and interpreter versions per host] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 577 display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | pivot metricator-nmon-processing NMON_Processing last(converter_inuse) AS "Type of coverter in use (last known value)" last(interpreter_version) AS "Version of Interpreter (last known value)" SPLITROW _time AS _time\ PERIOD minute SPLITROW hostname AS hostname SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1 | dedup hostname "Type of coverter in use (last known value)" "Version of Interpreter (last known value)" | fields - _time [TA-metricator package deployment reporting over time (requires _internal access)] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.chartHeight = 577 display.visualizations.charting.chart.overlayFields = Nbr_of_deployment_actions display.visualizations.charting.legend.placement = top display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = index=_internal sourcetype=splunkd "DeployedApplication - Installing app=*nmon*" | timechart span=1d dc(host) AS Number_hosts_deployed count AS Nbr_of_deployment_actions [Universal Forwarders Configuration Report] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 534 display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = index=_internal source=*metrics.log group=tcpin_connections version=* | eval hostname=if(isnull(hostname), sourceHost,hostname)\ | stats latest(sourceIp) AS sourceIp, latest(os) AS os, latest(version) AS version, latest(fwdType) AS fwdType, latest(arch) AS arch by hostname ################ # ALERT CENTER # ################ #### CPU #### [ALERT CENTER - Number of active CPU alerts] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = now display.events.fields = ["host","type","source","sourcetype"] display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.chartHeight = 534 display.visualizations.charting.chart = line display.visualizations.singlevalue.afterLabel = display.visualizations.singlevalue.drilldown = all display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"] display.visualizations.singlevalue.rangeValues = [0] display.visualizations.singlevalue.underLabel = cpu saturation display.visualizations.singlevalue.unit = cpu active alerts display.visualizations.singlevalue.useColors = 1 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = index=_audit action=alert_fired action=alert_fired ss_name="NMON - cpu usage saturation" ss_app="metricator-for-nmon" earliest="-60m" latest="now" | stats count AS count | rangemap field=count low=0-0 default=high [ALERT CENTER - Search historical CPU alerts] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 534 display.visualizations.charting.chart = line display.visualizations.singlevalue.afterLabel = display.visualizations.singlevalue.drilldown = all display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"] display.visualizations.singlevalue.rangeValues = [0] display.visualizations.singlevalue.underLabel = cpu saturation display.visualizations.singlevalue.unit = cpu active alerts display.visualizations.singlevalue.useColors = 1 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | `alerting_cpu_usage` [ALERT CENTER - CPU issues] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","type","source","sourcetype"] display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.chartHeight = 534 display.visualizations.charting.chart = line display.visualizations.singlevalue.afterLabel = Host(s) with Potential CPU issue display.visualizations.singlevalue.underLabel = cpu saturation display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | `alerting_cpu_usage` [ALERT CENTER - Number of active Real Memory alerts] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = now display.events.fields = ["host","type","source","sourcetype"] display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.chartHeight = 534 display.visualizations.charting.chart = line display.visualizations.singlevalue.afterLabel = display.visualizations.singlevalue.drilldown = all display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"] display.visualizations.singlevalue.rangeValues = [0] display.visualizations.singlevalue.underLabel = physical memory saturation display.visualizations.singlevalue.unit = physical memory active alerts display.visualizations.singlevalue.useColors = 1 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = index=_audit action=alert_fired action=alert_fired ss_name="NMON - physical memory usage saturation" ss_app="metricator-for-nmon" earliest="-60m" latest="now" | stats count AS count | rangemap field=count low=0-0 default=high [ALERT CENTER - Search historical Real Memory alerts] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 534 display.visualizations.charting.chart = line display.visualizations.singlevalue.afterLabel = display.visualizations.singlevalue.drilldown = all display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"] display.visualizations.singlevalue.rangeValues = [0] display.visualizations.singlevalue.underLabel = physical memory saturation display.visualizations.singlevalue.unit = physical memory active alerts display.visualizations.singlevalue.useColors = 1 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | `alerting_realmemory_usage` [ALERT CENTER - Real Memory issues] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","type","source","sourcetype"] display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.chartHeight = 534 display.visualizations.charting.chart = line display.visualizations.singlevalue.afterLabel = Host(s) with Potential Memory issue display.visualizations.singlevalue.underLabel = physical memory saturation display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | `alerting_realmemory_usage` [ALERT CENTER - Number of active Virtual Memory alerts] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","type","source","sourcetype"] display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.chartHeight = 534 display.visualizations.charting.chart = line display.visualizations.singlevalue.afterLabel = display.visualizations.singlevalue.drilldown = all display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"] display.visualizations.singlevalue.rangeValues = [0] display.visualizations.singlevalue.underLabel = virtual memory saturation display.visualizations.singlevalue.unit = virtual memory active alerts display.visualizations.singlevalue.useColors = 1 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = index=_audit action=alert_fired action=alert_fired ss_name="NMON - virtual usage saturation" ss_app="metricator-for-nmon" earliest="-60m" latest="now" | stats count AS count | rangemap field=count low=0-0 default=high [ALERT CENTER - Search historical Virtual Memory alerts] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 534 display.visualizations.charting.chart = line display.visualizations.singlevalue.afterLabel = display.visualizations.singlevalue.drilldown = all display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"] display.visualizations.singlevalue.rangeValues = [0] display.visualizations.singlevalue.underLabel = virtual memory saturation display.visualizations.singlevalue.unit = virtual memory active alerts display.visualizations.singlevalue.useColors = 1 display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | `alerting_virtualmemory_usage` [ALERT CENTER - Virtual Memory issues] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","type","source","sourcetype"] display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.chartHeight = 534 display.visualizations.charting.chart = line display.visualizations.singlevalue.afterLabel = Host(s) with Potential Virtual Memory issue display.visualizations.singlevalue.underLabel = virtual memory saturation display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | `alerting_virtualmemory_usage` [ALERT CENTER - Number of active FS alerts] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = now display.events.fields = ["host","type","source","sourcetype"] display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.singlevalue.afterLabel = display.visualizations.singlevalue.drilldown = all display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"] display.visualizations.singlevalue.rangeValues = [0] display.visualizations.singlevalue.underLabel = file-systems saturation display.visualizations.singlevalue.unit = file-systems active alerts display.visualizations.singlevalue.useColors = 1 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = index=_audit action=alert_fired action=alert_fired ss_name="NMON - file-systems under saturation" ss_app="metricator-for-nmon" earliest="-60m" latest="now" | stats count AS count | rangemap field=count low=0-0 default=high [ALERT CENTER - Search historical FS alerts] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.singlevalue.afterLabel = display.visualizations.singlevalue.drilldown = all display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"] display.visualizations.singlevalue.rangeValues = [0] display.visualizations.singlevalue.underLabel = file-systems saturation display.visualizations.singlevalue.unit = file-systems active alerts display.visualizations.singlevalue.useColors = 1 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | `alerting_filesystem_usage` [ALERT CENTER - FS issues] action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","type","source","sourcetype"] display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.chartHeight = 534 display.visualizations.charting.chart = line display.visualizations.singlevalue.afterLabel = Host(s) with file-system usage in excess display.visualizations.singlevalue.underLabel = file-system saturation display.visualizations.type = singlevalue request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | `alerting_filesystem_usage` ####################### # Various Reports # ####################### [UPTIME - servers recent reboot (last 60 minutes)] action.email.useNSSubject = 1 alert.track = 0 description = This report shows servers having rebooted within last 60 minutes dispatch.earliest_time = -60m dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 606 display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | tstats latest("metricator-nmon-config.uptime") AS uptime_seconds, latest("metricator-nmon-config.event_epoch") AS last_report from datamodel=metricator-nmon-config where (nodename = metricator-nmon-config) (sourcetype=nmon_config) by host prestats=true\ | tstats latest("Uptime.uptime") AS external_uptime_seconds latest(Uptime.event_epoch) as external_last_report from datamodel=metricator-nmon-config.Uptime where (nodename = Uptime) (Uptime.uptime = "*") by host append=true prestats=true\ | stats dedup_splitvals=t\ latest("metricator-nmon-config.uptime") AS uptime_seconds, latest("metricator-nmon-config.event_epoch") AS last_report, latest("Uptime.uptime") AS external_uptime_seconds latest(Uptime.event_epoch) as external_last_report by host\ | eval last_known_uptime=if(isnotnull(external_uptime_seconds), external_uptime_seconds, uptime_seconds)\ | eval epoch=if(isnotnull(external_last_report), external_last_report, last_report)\ | eval reporting_date=strftime(epoch, "%m/%d/%Y %H:%M")\ | eval now=now()\ | eval last_known_uptime=(last_known_uptime+(now-epoch))\ | where last_known_uptime<=3600\ | sort host\ | eval "Date of last system startup (mm/dd/Y HH:MM)"=strftime((now()-last_known_uptime), "%m/%d/%Y %H:%M")\ | eval "uptime (human duration)"=tostring(last_known_uptime, "duration")\ | fields host,last_known_uptime,"uptime (human duration)","Date of last system startup (mm/dd/Y HH:MM)",reporting_date | fields - _time\ | rename last_known_uptime AS "uptime (in seconds)", reporting_date AS "Last reporting date (mm/dd/Y HH:MM)" [Linux OS - Last known uptime by host] action.email.useNSSubject = 1 alert.track = 0 description = This report shows last known uptime for Linux hosts based on inventory data and nmon external dispatch.earliest_time = -24h dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 606 display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | tstats latest("metricator-nmon-config.uptime") AS uptime_seconds, latest("metricator-nmon-config.event_epoch") AS last_report from datamodel=metricator-nmon-config where (nodename = metricator-nmon-config) (sourcetype=nmon_config) (metricator-nmon-config.OStype = "Linux") by host prestats=true\ | tstats latest("Uptime.uptime") AS external_uptime_seconds latest(Uptime.event_epoch) as external_last_report from datamodel=metricator-nmon-config.Uptime where (nodename = Uptime) (Uptime.OStype = "Linux") (Uptime.uptime = "*") by host append=true prestats=true\ | stats dedup_splitvals=t\ latest("metricator-nmon-config.uptime") AS uptime_seconds, latest("metricator-nmon-config.event_epoch") AS last_report, latest("Uptime.uptime") AS external_uptime_seconds latest(Uptime.event_epoch) as external_last_report by host\ | eval last_known_uptime=if(isnotnull(external_uptime_seconds), external_uptime_seconds, uptime_seconds)\ | eval epoch=if(isnotnull(external_last_report), external_last_report, last_report)\ | eval reporting_date=strftime(epoch, "%m/%d/%Y %H:%M")\ | eval now=now()\ | eval last_known_uptime=(last_known_uptime+(now-epoch))\ | sort host\ | eval "Date of last system startup (mm/dd/Y HH:MM)"=strftime((now()-last_known_uptime), "%m/%d/%Y %H:%M")\ | eval "uptime (human duration)"=tostring(last_known_uptime, "duration")\ | fields host,last_known_uptime,"uptime (human duration)","Date of last system startup (mm/dd/Y HH:MM)",reporting_date | fields - _time\ | rename last_known_uptime AS "uptime (in seconds)", reporting_date AS "Last reporting date (mm/dd/Y HH:MM)" [AIX OS - Last known uptime by host] action.email.useNSSubject = 1 alert.track = 0 description = This report shows last known uptime for AIX hosts based on nmon external dispatch.earliest_time = -24h dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 606 display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | tstats latest("metricator-nmon-config.uptime") AS uptime_seconds, latest("metricator-nmon-config.event_epoch") AS last_report from datamodel=metricator-nmon-config where (nodename = metricator-nmon-config) (sourcetype=nmon_config) (metricator-nmon-config.OStype = "AIX") by host prestats=true\ | tstats latest("Uptime.uptime") AS external_uptime_seconds latest(Uptime.event_epoch) as external_last_report from datamodel=metricator-nmon-config.Uptime where (nodename = Uptime) (Uptime.OStype = "AIX") (Uptime.uptime = "*") by host append=true prestats=true\ | stats dedup_splitvals=t\ latest("metricator-nmon-config.uptime") AS uptime_seconds, latest("metricator-nmon-config.event_epoch") AS last_report, latest("Uptime.uptime") AS external_uptime_seconds latest(Uptime.event_epoch) as external_last_report by host\ | eval last_known_uptime=if(isnotnull(external_uptime_seconds), external_uptime_seconds, uptime_seconds)\ | eval epoch=if(isnotnull(external_last_report), external_last_report, last_report)\ | eval reporting_date=strftime(epoch, "%m/%d/%Y %H:%M")\ | eval now=now()\ | eval last_known_uptime=(last_known_uptime+(now-epoch))\ | sort host\ | eval "Date of last system startup (mm/dd/Y HH:MM)"=strftime((now()-last_known_uptime), "%m/%d/%Y %H:%M")\ | eval "uptime (human duration)"=tostring(last_known_uptime, "duration")\ | fields host,last_known_uptime,"uptime (human duration)","Date of last system startup (mm/dd/Y HH:MM)",reporting_date | fields - _time\ | rename last_known_uptime AS "uptime (in seconds)", reporting_date AS "Last reporting date (mm/dd/Y HH:MM)" [Linux OS - filesystems utilization reporting] action.email.useNSSubject = 1 alert.track = 0 description = This report shows filesystems utilization statistics for Linux hosts based on DF nmon external metrics dispatch.earliest_time = -24h dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 606 display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | mstats latest(_value) as value where `nmon_metrics_index` metric_name="os.unix.nmon.storage.df_storage.*" OStype=Linux host=* by host, metric_name, dimension_mount\ | eval Available=case(metric_name=="os.unix.nmon.storage.df_storage.Available", value), Use_pct=case(metric_name=="os.unix.nmon.storage.df_storage.Use_pct", value), Used=case(metric_name=="os.unix.nmon.storage.df_storage.Used", value), blocks=case(metric_name=="os.unix.nmon.storage.df_storage.blocks", value)\ | stats first(Available) as Available, first(Use_pct) as Use_pct, first(Used) as Used, first(blocks) as blocks by host, dimension_mount\ | rename dimension_mount as mount\ | eval storage_free=blocks-Used, storage_free_percent=(100-Use_pct)\ | rename Use_pct as storage_used_percent, blocks as storage, Used as storage_used, Available as storage_free\ | foreach storage, storage_free, storage_used [ eval <> = round('<>'/1024/1024, 2) ]\ | foreach storage*percent [ eval <> = round('<>', 2) ]\ | rename storage as "storage (GB)", storage_free as "storage free (GB)", storage_used as "storage used (GB)", storage_free_percent as "storage free (%)", storage_used_percent as "storage used (%)"\ | eval UsedPct=if(isnum('storage used (%)'), 'storage used (%)', 0 )\ | fields host, mount, "storage (GB)", "storage free (GB)", "storage used (GB)", "storage free (%)", "storage used (%)", UsedPct\ | appendpipe [ stats sum("storage (GB)") as "storage (GB)", sum("storage free (GB)") as "storage free (GB)", sum("storage used (GB)") as "storage used (GB)" ]\ | eval "storage free (%)" = if(isnull('storage free (%)'), (('storage free (GB)'/'storage (GB)')*100), 'storage free (%)'), "storage used (%)" = if(isnull('storage used (%)'), (('storage used (GB)'/'storage (GB)')*100), 'storage used (%)'), UsedPct = if(isnull(UsedPct), 'storage used (%)', UsedPct)\ | fillnull value="*** TOTAL GB / AVERAGE % ****" mount\ | foreach storage*%* UsedPct [ eval <> = round('<>', 2) ] [AIX OS - filesystems utilization reporting] action.email.useNSSubject = 1 alert.track = 0 description = This report shows filesystems utilization statistics for AIX hosts based on inventory data dispatch.earliest_time = -24h dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 606 display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | mstats latest(_value) as value where `nmon_metrics_index` metric_name="os.unix.nmon.storage.df_storage.*" OStype=AIX host=* by host, metric_name, dimension_mount\ | eval Available=case(metric_name=="os.unix.nmon.storage.df_storage.Available", value), Use_pct=case(metric_name=="os.unix.nmon.storage.df_storage.Use_pct", value), Used=case(metric_name=="os.unix.nmon.storage.df_storage.Used", value), blocks=case(metric_name=="os.unix.nmon.storage.df_storage.blocks", value)\ | stats first(Available) as Available, first(Use_pct) as Use_pct, first(Used) as Used, first(blocks) as blocks by host, dimension_mount\ | rename dimension_mount as mount\ | eval storage_free=blocks-Used, storage_free_percent=(100-Use_pct)\ | rename Use_pct as storage_used_percent, blocks as storage, Used as storage_used, Available as storage_free\ | foreach storage, storage_free, storage_used [ eval <> = round('<>'/1024/1024, 2) ]\ | foreach storage*percent [ eval <> = round('<>', 2) ]\ | rename storage as "storage (GB)", storage_free as "storage free (GB)", storage_used as "storage used (GB)", storage_free_percent as "storage free (%)", storage_used_percent as "storage used (%)"\ | eval UsedPct=if(isnum('storage used (%)'), 'storage used (%)', 0 )\ | fields host, mount, "storage (GB)", "storage free (GB)", "storage used (GB)", "storage free (%)", "storage used (%)", UsedPct\ | appendpipe [ stats sum("storage (GB)") as "storage (GB)", sum("storage free (GB)") as "storage free (GB)", sum("storage used (GB)") as "storage used (GB)" ]\ | eval "storage free (%)" = if(isnull('storage free (%)'), (('storage free (GB)'/'storage (GB)')*100), 'storage free (%)'), "storage used (%)" = if(isnull('storage used (%)'), (('storage used (GB)'/'storage (GB)')*100), 'storage used (%)'), UsedPct = if(isnull(UsedPct), 'storage used (%)', UsedPct)\ | fillnull value="*** TOTAL GB / AVERAGE % ****" mount\ | foreach storage*%* UsedPct [ eval <> = round('<>', 2) ] [Solaris OS - filesystems utilization reporting] action.email.useNSSubject = 1 alert.track = 0 description = This report shows filesystems utilization statistics for Solaris hosts based on inventory data dispatch.earliest_time = -24h dispatch.latest_time = now display.events.fields = ["host","hostname","type","source","sourcetype"] display.general.type = statistics display.page.search.tab = statistics display.visualizations.chartHeight = 606 display.visualizations.show = 0 request.ui_dispatch_app = metricator-for-nmon request.ui_dispatch_view = search search = | mstats latest(_value) as value where `nmon_metrics_index` metric_name="os.unix.nmon.storage.df_storage.*" OStype=Solaris host=* by host, metric_name, dimension_mount\ | eval Available=case(metric_name=="os.unix.nmon.storage.df_storage.Available", value), Use_pct=case(metric_name=="os.unix.nmon.storage.df_storage.Use_pct", value), Used=case(metric_name=="os.unix.nmon.storage.df_storage.Used", value), blocks=case(metric_name=="os.unix.nmon.storage.df_storage.blocks", value)\ | stats first(Available) as Available, first(Use_pct) as Use_pct, first(Used) as Used, first(blocks) as blocks by host, dimension_mount\ | rename dimension_mount as mount\ | eval storage_free=blocks-Used, storage_free_percent=(100-Use_pct)\ | rename Use_pct as storage_used_percent, blocks as storage, Used as storage_used, Available as storage_free\ | foreach storage, storage_free, storage_used [ eval <> = round('<>'/1024/1024, 2) ]\ | foreach storage*percent [ eval <> = round('<>', 2) ]\ | rename storage as "storage (GB)", storage_free as "storage free (GB)", storage_used as "storage used (GB)", storage_free_percent as "storage free (%)", storage_used_percent as "storage used (%)"\ | eval UsedPct=if(isnum('storage used (%)'), 'storage used (%)', 0 )\ | fields host, mount, "storage (GB)", "storage free (GB)", "storage used (GB)", "storage free (%)", "storage used (%)", UsedPct\ | appendpipe [ stats sum("storage (GB)") as "storage (GB)", sum("storage free (GB)") as "storage free (GB)", sum("storage used (GB)") as "storage used (GB)" ]\ | eval "storage free (%)" = if(isnull('storage free (%)'), (('storage free (GB)'/'storage (GB)')*100), 'storage free (%)'), "storage used (%)" = if(isnull('storage used (%)'), (('storage used (GB)'/'storage (GB)')*100), 'storage used (%)'), UsedPct = if(isnull(UsedPct), 'storage used (%)', UsedPct)\ | fillnull value="*** TOTAL GB / AVERAGE % ****" mount\ | foreach storage*%* UsedPct [ eval <> = round('<>', 2) ]