You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
201 lines
15 KiB
201 lines
15 KiB
#Splunk environment saved searches
|
|
[IT Service Intelligence - Get splunk indexer entities]
|
|
description = Get a list of splunk indexers, which can later be used to populate the IT Service Intelligence splunk service
|
|
search = | rest /services/server/info | fillnull | table splunk_server,serverName,server_roles* | eval role=if($server_roles.search_peer$=="0","","search_peer") | eval role=if($server_roles.search_head$=="0",role,"search_head") | eval role=if($server_roles.indexer$=="0",role,role+";indexer") | makemv delim=";" allowempty=t role | table serverName,role | search role=indexer
|
|
disabled = 0
|
|
request.ui_dispatch_app = itsi
|
|
|
|
[IT Service Intelligence - Get splunk search head entities]
|
|
description = Get a list of splunk search heads, which can later be used to populate the IT Service Intelligence splunk service
|
|
search = | rest /services/server/info | fillnull | table splunk_server,serverName,server_roles* | eval role=if($server_roles.search_peer$=="0","","search_peer") | eval role=if($server_roles.search_head$=="0",role,"search_head") | eval role=if($server_roles.indexer$=="0",role,role+";indexer") | makemv delim=";" allowempty=t role | table serverName,role | search role=search_head
|
|
disabled = 0
|
|
request.ui_dispatch_app = itsi
|
|
|
|
[IT Service Intelligence - Get splunk search peer entities]
|
|
description = Get a list of splunk search peers, which can later be used to populate the IT Service Intelligence splunk service
|
|
search = | rest /services/server/info | fillnull | table splunk_server,serverName,server_roles* | eval role=if($server_roles.search_peer$=="0","","search_peer") | eval role=if($server_roles.search_head$=="0",role,"search_head") | eval role=if($server_roles.indexer$=="0",role,role+";indexer") | makemv delim=";" allowempty=t role | table serverName,role | search role=search_peer
|
|
disabled = 0
|
|
request.ui_dispatch_app = itsi
|
|
|
|
[IT Service Intelligence - Get splunk forwarder entities]
|
|
description = Get a list of splunk forwarders, which can later be used to populate the IT Service Intelligence splunk service
|
|
search = index=_internal source=*metrics.log* group=tcpin_connections | stats values(hostname) as hostname, values(sourceHost) as sourcehost by host | mvexpand hostname | table hostname | dedup hostname
|
|
disabled = 0
|
|
request.ui_dispatch_app = itsi
|
|
|
|
#Netapp app saved searches
|
|
[IT Service Intelligence - Get Netapp controllers]
|
|
description = Retrieves a list of Netapp controllers, for use importing into IT Service Intelligence as entities
|
|
search = source=SystemPerfHandler | table host | dedup host | rename host AS dest
|
|
request.ui_dispatch_app = itsi
|
|
|
|
[IT Service Intelligence - Get Netapp Vservers]
|
|
description = Retrieves a list of Netapp Vservers from the Netapp App, for use for importing into IT Service Intelligence as entities
|
|
search = sourcetype=ontap:system is-clustered=true | dedup host | table host |rename host AS dest
|
|
request.ui_dispatch_app = itsi
|
|
|
|
[IT Service Intelligence - Get Netapp volumes]
|
|
description = Retrieves a list of volumes from the Netapp App, for use importing into IT Service Intelligence as entities
|
|
search = sourcetype=ontap:volume | eval dest = host + ":" + name | dedup dest | table dest
|
|
request.ui_dispatch_app = itsi
|
|
|
|
[IT Service Intelligence - Get Netapp aggregates]
|
|
description = Retrieves a list of aggregates from the Netapp App, for use into importing into IT Service Intelligence as entities.
|
|
search = sourcetype=ontap:aggr | eval dest = host + ":" + name | dedup dest | table dest
|
|
request.ui_dispatch_app = itsi
|
|
|
|
[IT Service Intelligence - Get Netapp disks]
|
|
description = Retrieves a list of disks from the Netapp App, for use into importing into IT Service Intelligence as entities.
|
|
search = sourcetype=ontap:disk | eval dest = host + ":" + name | dedup dest | table dest
|
|
request.ui_dispatch_app = itsi
|
|
|
|
#*NIX searches
|
|
[IT Service Intelligence - Linux, Unix, Solaris, and OSX hosts]
|
|
description = Collect the *nix hosts provided through the TA-nix app for entry into IT Service Intelligence
|
|
search = | datamodel Performance CPU search | search All_Performance.tag=unix | dedup All_Performance.dest | table All_Performance.dest | rename All_Performance.dest AS dest
|
|
request.ui_dispatch_app = itsi
|
|
|
|
#VMware saved searches
|
|
[IT Service Intelligence - Get VMware Datacenters]
|
|
description = Get the VMWware Datacenters and format them in a way that is appropriate for IT Service Intelligence
|
|
search = sourcetype=vmware:inv:hierarchy type=ClusterComputeResource | spath changeSet.runtime.host.moid output=vmhost | spath moid output=moid | spath type output=type | spath changeSet.name output=name | search (type!="Datastore" type!="VirtualApp" type!="ResourcePool" type!="Folder" type!="ComputeResource") OR (name!="host" type="Folder" name!="vm" name!="datastore" name!="network" name!="Local Storage" name!="Discovered virtual machine") | spath changeSet.parent.moid output=parent | spath changeSet.parent.type output=parentType | spath rootFolder.moid output=rootFolderMoid | eval parent=if(type="VirtualMachine", vmhost, parent) | eval parentType=if(type="VirtualMachine", "HostSystem", if(parent=rootFolderMoid, "RootFolder", parentType)) | stats first(_time) as _time first(name) as name first(type) as type first(parent) as parent first(parentType) as parentType first(rootFolderMoid) as rootFolderMoid by host, moid | table host moid name type rootFolderMoid
|
|
request.ui_dispatch_app = itsi
|
|
|
|
[IT Service Intelligence - Get VMware HostSystems]
|
|
description = Get the VMWware ESX\ESXi host systems and format them in a way that is appropriate for IT Service Intelligence
|
|
search = sourcetype=vmware:inv:hierarchy type=HostSystem | spath changeSet.runtime.host.moid output=vmhost | spath moid output=moid | spath type output=type | spath changeSet.name output=name | search (type!="Datastore" type!="VirtualApp" type!="ResourcePool" type!="Folder" type!="ComputeResource") OR (name!="host" type="Folder" name!="vm" name!="datastore" name!="network" name!="Local Storage" name!="Discovered virtual machine") | spath changeSet.parent.moid output=parent | spath changeSet.parent.type output=parentType | spath rootFolder.moid output=rootFolderMoid | eval parent=if(type="VirtualMachine", vmhost, parent) | eval parentType=if(type="VirtualMachine", "HostSystem", if(parent=rootFolderMoid, "RootFolder", parentType)) | stats first(_time) as _time first(name) as name first(type) as type first(parent) as parent first(parentType) as parentType first(rootFolderMoid) as rootFolderMoid by host, moid | table host moid name type rootFolderMoid
|
|
request.ui_dispatch_app = itsi
|
|
|
|
[IT Service Intelligence - Get VMware Virtual Machines]
|
|
description = Get the VMWware Virtual Machines and format them in a way that is appropriate for IT Service Intelligence
|
|
search = sourcetype=vmware:inv:hierarchy type=VirtualMachine | spath changeSet.runtime.host.moid output=vmhost | spath moid output=moid | spath type output=type | spath changeSet.name output=name | search (type!="Datastore" type!="VirtualApp" type!="ResourcePool" type!="Folder" type!="ComputeResource") OR (name!="host" type="Folder" name!="vm" name!="datastore" name!="network" name!="Local Storage" name!="Discovered virtual machine") | spath changeSet.parent.moid output=parent | spath changeSet.parent.type output=parentType | spath rootFolder.moid output=rootFolderMoid | eval parent=if(type="VirtualMachine", vmhost, parent) | eval parentType=if(type="VirtualMachine", "HostSystem", if(parent=rootFolderMoid, "RootFolder", parentType)) | stats first(_time) as _time first(name) as name first(type) as type first(parent) as parent first(parentType) as parentType first(rootFolderMoid) as rootFolderMoid by host, moid | table host moid name type rootFolderMoid
|
|
request.ui_dispatch_app = itsi
|
|
|
|
#Windows app saved searches
|
|
[IT Service Intelligence - Get Windows hosts]
|
|
description = Retrieves a list of hosts generating Windows host data
|
|
search = | datamodel Compute_Inventory OS search | search All_Inventory.tag=windows | dedup All_Inventory.dest | rename All_Inventory.dest AS dest | table dest
|
|
request.ui_dispatch_app = itsi
|
|
|
|
#CIM network discovery saved searches
|
|
[IT Service Intelligence - Get IP addresses]
|
|
description = Get a list of all known IP addresses from the CIM Inventory and Network Traffic data models
|
|
search = | tstats count FROM datamodel=Network_Traffic by All_Traffic.src_ip, All_Traffic.dest_ip | rename All_Traffic.src_ip AS src_ip, All_Traffic.dest_ip AS dest_ip | dedup src_ip dest_ip | eval all_ips = src_ip + ";" + dest_ip | makemv delim=";" all_ips | mvexpand all_ips | table all_ips | append [|tstats count FROM datamodel=Compute_Inventory by Network.ip | rename Network.ip AS all_ips | dedup all_ips | table all_ips] | dedup all_ips
|
|
|
|
[IT Service Intelligence - Get IP addresses by MAC address]
|
|
description = Get a list of all known MAC addresses and their associated IP addresses in a multivalue field
|
|
search = | tstats count FROM datamodel=Network_Traffic by All_Traffic.src_ip, All_Traffic.src_mac |rename All_Traffic.src_ip AS ip | rename All_Traffic.src_mac AS mac | table ip, mac | append [| tstats count FROM datamodel=Network_Traffic by All_Traffic.dest_ip, All_Traffic.dest_mac |rename All_Traffic.dest_ip AS ip, All_Traffic.dest_mac AS mac | table ip, mac ] | append [| tstats count FROM datamodel=Compute_Inventory by Network.ip, Network.mac | rename Network.ip AS ip, Network.mac AS mac | table ip, mac ] | mvcombine delim=";" ip | dedup mac
|
|
|
|
#TA-nix
|
|
[IT Service Intelligence - Linux and Unix hosts]
|
|
description = Collect the unix and linux hosts provided through the TA-nix app for entry into ITSI
|
|
search = sourcetype=Linux:* OR sourcetype=Unix:* | dedup host | table host
|
|
|
|
[IT Service Intelligence - Solaris hosts]
|
|
description = Collect the solaris hosts provided through the TA-nix app for entry into ITSI
|
|
search = sourcetype=Solaris:* | dedup host | table host
|
|
|
|
[IT Service Intelligence - OS X hosts]
|
|
description = Collect the OS X hosts provided through the TA-nix app for entry into ITSI
|
|
search = sourcetype=OSX:* | dedup host | table host
|
|
|
|
###### Lookup Generating Searches ######
|
|
[IT Service Intelligence - User Realnames - Lookup Gen]
|
|
cron_schedule = */10 * * * *
|
|
disabled = False
|
|
dispatch.earliest_time = -4h
|
|
dispatch.latest_time = +0s
|
|
enableSched = 1
|
|
is_visible = false
|
|
run_on_startup = true
|
|
search = | rest splunk_server=local count=0 /services/authentication/users | rename title as user | eval _key=user | eval realname=if(isnull(realname) or realname="", null(), realname) | table _key user realname | outputlookup itsi_user_realnames_lookup | stats count
|
|
|
|
### Search to group events ###
|
|
[itsi_event_grouping]
|
|
cron_schedule = * * * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = rt
|
|
dispatch.indexedRealtime = 1
|
|
dispatch.latest_time = rt
|
|
enableSched = 1
|
|
search = `itsi_event_management_index_with_close_events` | fields _time, _raw, source, sourcetype, host | itsirulesengine | where 1=2
|
|
|
|
### Search to find duplicated alias in entity ###
|
|
[itsi_find_dup_alias]
|
|
cron_schedule = 0 0 * * *
|
|
disabled = 0
|
|
dispatch.earliest_time = -4h
|
|
dispatch.latest_time = +0s
|
|
enableSched = 1
|
|
is_visible = false
|
|
search = |inputlookup itsi_entities | eval itsi_identifier_lookups = _itsi_identifier_lookups | mvexpand "itsi_identifier_lookups" | eval key=_key | stats count values(itsi_identifier_lookups) values(title) values(services._key) values(key) by itsi_identifier_lookups | where count > 1| itsicheckfordupalias
|
|
|
|
[itsi_check_kvstore_size]
|
|
cron_schedule = 0 0 * * *
|
|
disabled = 0
|
|
dispatch.earliest_time = -4h
|
|
dispatch.latest_time = +0s
|
|
enableSched = 1
|
|
is_visible = false
|
|
search = | rest splunk_server=local /services/server/introspection/kvstore/collectionstats \
|
|
| mvexpand data \
|
|
| spath input=data \
|
|
| rex field=ns "(?<App>.*)\.(?<Collection>.*)" \
|
|
| eval dbsize=size/1024/1024 \
|
|
| eval indexsize=totalIndexSize/1024/1024 \
|
|
| stats first(count) AS "Number of Objects" first(nindexes) AS Accelerations first(indexsize) AS \
|
|
"Acceleration Size (MB)" first(dbsize) AS "Collection Size (MB)" by App,Collection \
|
|
| search Collection = "itsi_services" \
|
|
| appendcols [ \
|
|
| rest splunk_server=local /servicesNS/nobody/SA-ITOA/properties/limits/kvstore/max_size_per_result_mb \
|
|
| rename value as max_size_per_result_mb] \
|
|
| appendcols [ \
|
|
| rest splunk_server=local /servicesNS/nobody/SA-ITOA/properties/limits/kvstore/max_size_per_batch_result_mb \
|
|
| rename value as max_size_per_batch_result_mb] \
|
|
| eval "KVStore Limit Max Size (MB)"=min(max_size_per_result_mb, max_size_per_batch_result_mb) \
|
|
| itsicheckforkvstoresize
|
|
|
|
[itsi_tracked_alerts_fields]
|
|
cron_schedule = 0 2 * * *
|
|
disabled = 0
|
|
dispatch.ttl = 1p
|
|
dispatch.earliest_time = -24h
|
|
dispatch.latest_time = now
|
|
enableSched = 1
|
|
is_visible = false
|
|
search = `itsi_event_management_index_fields`
|
|
|
|
[service_level_telemetry]
|
|
disabled = 0
|
|
is_visible = false
|
|
enableSched = 0
|
|
search = | inputlookup service_telemetry_lookup | eval zipped = mvzip('kpis.title', 'kpis.search_type' , "==@@==") | fields - kpis._key, kpis.base_search, kpis.title, kpis.search_type | mvexpand zipped | eval x = split(zipped, "==@@==") | eval kpi_title = mvindex(x, 0) | eval search_type = mvindex(x, 1) | fields - x, zipped | stats count(eval(kpi_title!="ServiceHealthScore")) as total_kpis count(eval(kpi_title!="ServiceHealthScore" and search_type=="adhoc")) as adhoc_count count(eval(search_type=="shared_base")) as sbs_count count(eval(search_type=="datamodel")) as dm_count count(eval(search_type=="metric")) as metric_count values(base_service_template_id) as base_template_id dc(services_depends_on.serviceid) as depend_service values(sec_grp) as sec_grp by title | rex field=title mode=sed "s/([\s\S]*)/xxxxxx/g"
|
|
|
|
[itsi_content_packs_status_update]
|
|
cron_schedule = 30 * * * *
|
|
description = Checks and updates which ITSI content packs are installed
|
|
disabled = 0
|
|
enableSched = 1
|
|
is_visible = false
|
|
search = | itsicontentpackstatus
|
|
|
|
[custom_threshold_windows_telemetry]
|
|
disabled = 0
|
|
is_visible = false
|
|
enableSched = 0
|
|
search = | inputlookup custom_threshold_window_telemetry_lookup\
|
|
| rename linked_services.linked_kpi_ids as linked_kpis\
|
|
| eval cron_schedule = if(isnull(cron_schedule) OR cron_schedule="", 0, cron_schedule)\
|
|
| eval linked_kpis_count = mvcount(linked_kpis)\
|
|
| fillnull\
|
|
| eval zipped = mvzip(mvzip(mvzip('cron_schedule', 'duration', "==@@=="), 'recurrence', "==@@=="), 'linked_kpis_count', "==@@==")\
|
|
| fields zipped\
|
|
| mvexpand zipped\
|
|
| eval x = split(zipped, "==@@==")\
|
|
| eval cron_schedule = mvindex(x, 0)\
|
|
| eval duration = mvindex(x, 1)\
|
|
| eval recurrence = mvindex(x, 2)\
|
|
| eval linked_kpis_count = mvindex(x, 3)\
|
|
| fields - x, zipped\
|
|
| eval cron_schedule = if(cron_schedule == "0", "non-recur", cron_schedule)
|