admingit
/
Splunk_Deploiement
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'masterdevtest'
${ noResults }
Splunk_Deploiement/apps/metricator-for-nmon/default/savedsearches.conf

1285 lines
63 KiB
Raw Permalink Blame History

############################################################
# Simple search used in Home page to show
# numbers of hosts indexed within last 7 days
############################################################
# Since version 1.9.7, and for run time optimization purposes, we use link this search with a KVstore base lookup table
# The lookup is used to store the state day after day, such that we can provide the same features that a full 7 days
# time range but having a search running on the current day only
# At large scale, the original tstats search could run up to 30 seconds which is too much for a good user experience
# As such, the number of hosts reported is the global number of hosts and linked anymore to the user context.
[Hosts with data within last 7 days]
dispatch.earliest_time = -1d@d
dispatch.latest_time = now
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.singlevalue.colorBy = trend
display.visualizations.singlevalue.rangeColors = ["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]
display.visualizations.singlevalue.rangeValues = [0,30,70,100]
display.visualizations.singlevalue.trendInterval = auto
display.visualizations.singlevalue.underLabel = Hosts with recent activity
display.visualizations.singlevalue.useColors = 1
display.visualizations.singlevalueHeight = 173
display.visualizations.type = singlevalue
search = | mstats count(_value) as count where `nmon_metrics_index` metric_name="os.unix.nmon.cpu.cpu_all.*" by host span=1d | stats dc(host) as dcount by _time\
| append\
[ | inputlookup nmon_hosts_last_7days ]\
| eval time_limit=relative_time(now(), "-7d@d")\
| where _time>time_limit\
| stats max(dcount) as dcount by _time\
| sort 0 _time
# This scheduled report will fill the KVstore based lookup table for previous days
[Hosts with data within last 7 days (fill the nmon_hosts_last_7days lookup)]
cron_schedule = 1 * * * *
dispatch.earliest_time = -7d@d
dispatch.latest_time = now
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.singlevalue.colorBy = trend
display.visualizations.singlevalue.rangeColors = ["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]
display.visualizations.singlevalue.rangeValues = [0,30,70,100]
display.visualizations.singlevalue.trendInterval = auto
display.visualizations.singlevalue.underLabel = Hosts with recent activity
display.visualizations.singlevalue.useColors = 1
display.visualizations.singlevalueHeight = 173
display.visualizations.type = singlevalue
enableSched = 1
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
schedule_window = 15
search = | mstats count(_value) as count where `nmon_metrics_index` metric_name="os.unix.nmon.cpu.cpu_all.*" by host span=1d | stats dc(host) as dcount by _time\
| outputlookup nmon_hosts_last_7days | stats count
#############################################################
# Total Cost of Ownership
#############################################################
[Volume of data indexed within last 7 days]
alert.digest_mode = 1
auto_summarize = 1
auto_summarize.dispatch.earliest_time = -7d@d
dispatch.earliest_time = -7d@d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
search = index=_internal source=*license_usage.log* type=Usage `nmon_idx`\
| bucket _time span=2m\
| stats sum(b) as volume by _time\
| eval volume=round((volume/1024/1024), 2)\
| where volume>0
[TCO - Volume indexing over time]
action.email.useNSSubject = 1
alert.track = 0
description = Volume of data (GB) indexed per day
dispatch.earliest_time = -30d
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = visualizations
display.page.search.mode = fast
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.chartHeight = 565
display.visualizations.charting.legend.placement = top
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = index=_internal source=*license_usage.log* type=Usage `nmon_idx` | where b>0 | bucket _time span=1m | stats sum(b) AS b by _time,idx | timechart span=1d sum(b) AS b | eval volume_per_day_GB=round((b/1024/1024/1024),2) | eval user_is_admin=True | fields _time,volume_per_day_GB
[TCO - Total Cost of Ownership per server]
action.email.useNSSubject = 1
alert.track = 0
description = Total Cost of Ownership, per hour/server and estimated per day/server licencing cost
dispatch.earliest_time = -7d@d
dispatch.latest_time = @h
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.chartHeight = 565
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = index=_internal source=*license_usage.log* type=Usage `nmon_idx` | where b>0 | timechart span=1h sum(b) AS b | eval volume_MB = round(b/1024/1024,2) | fillnull value=0\
| appendcols [ | mstats max(_value) as value where `nmon_metrics_index` metric_name=os.unix.nmon.cpu.cpu_all.logical_cpus by host span=1h\
| stats dc(host) as dcount by _time ]\
| eval cost_per_server_MB=(volume_MB/dcount) | stats avg(cost_per_server_MB) AS cost_per_server_MB | eval cost_per_server_MB=round(cost_per_server_MB, 2), estimated_cost_per_server_MB=round(cost_per_server_MB*24, 2)\
| rename cost_per_server_MB AS "per hour/server cost in MB", estimated_cost_per_server_MB AS "estimated per day/server cost in MB"
[TCO - Total Cost of Ownership of global indexing]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -7d@d
dispatch.latest_time = @d
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.chartHeight = 565
display.visualizations.charting.chart = pie
display.visualizations.show = 0
description = Average volume of data (GB) indexed per day
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = index=_internal source=*license_usage.log* type=Usage `nmon_idx` | where b>0 | timechart span=1d sum(b) AS b | fillnull value=0 | stats avg(b) AS avg_volume_per_day | eval avg_volume_per_day_GB=round((avg_volume_per_day/1024/1024/1024),2) | fields avg_volume_per_day_GB
[TCO - Scheduling reporting]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.chartHeight = 565
display.visualizations.charting.chart = pie
display.visualizations.show = 0
description = Detailed reporting of scheduling searches cost
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = index=_internal host="*" source=*scheduler.log status="*" NOT (status="continued" OR status=delegated*) savedsearch_name!="*_ACCELERATE_*" app="nmon"\
| stats avg(run_time) AS avg_run_time, max(run_time) AS max_run_time, latest(run_time) AS latest_run_time, max(_time) AS "last_run (dd/mm/YYYY H:M:S)" by app,savedsearch_name\
| eval "last_run (dd/mm/YYYY H:M:S)"=strftime('last_run (dd/mm/YYYY H:M:S)', "%d/%m/%Y %H:%M:%S") | foreach *_run_time [ eval <<FIELD>>=round('<<FIELD>>', 2) ]\
| sort savedsearch_name | rename savedsearch_name AS "report (savedsearch_name)"\
| eval duration_avg=tostring(avg_run_time, "duration"), duration_max=tostring(max_run_time, "duration"), duration_latest=tostring(latest_run_time, "duration")\
| eval "Avg run time (seconds / duration)" = avg_run_time + " sec / " + duration_avg + " (HH:MM:SSS)"\
| eval "Max run time (seconds / duration)" = max_run_time + " sec / " + duration_avg + " (HH:MM:SSS)"\
| eval "Latest run time (seconds / duration)" = latest_run_time + " sec / " + duration_avg + " (HH:MM:SSS)"\
| fields app,report*,Avg*,Max*,Latest*,"last_run (dd/mm/YYYY H:M:S)"
[TCO - Eventcount / Metadata Statistics: Indexes first and last event dates]
action.email.useNSSubject = 1
alert.track = 0
description = Date of first and last event per sourcetype
dispatch.earliest_time = 0
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 565
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | `indexes_datestats` | eval show_eventcount=true | fields index,sourcetype,*Event
[TCO - Index storage and buckets details]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 565
display.visualizations.charting.chart = pie
display.visualizations.show = 0
description = Nmon index detailed statistics
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | dbinspect `nmon_index` | eval rawSize_MB=(rawSize/1024/1024) | stats sum(rawSize_MB) AS rawSize_MB, sum(sizeOnDiskMB) AS sizeOnDiskMB, dc(bucketId) AS dcount_bucket | eval compress_ratio = round(rawSize_MB / sizeOnDiskMB, 2)." : 1" | eval rawSize_GB=round(rawSize_MB/1024, 2), sizeOnDiskGB=round(sizeOnDiskMB/1024, 2) | eval avg_size_perbucket_GB=round(((sizeOnDiskMB/dcount_bucket)/1024), 2)
#############################################################
# NMON Inventory
#############################################################
# This report will generate the inventory lookup table used in many interfaces of the App.
# We arbitrary only keep one result per day and per host of the nmon_config sourcetype, then we keep the last value by field in case of multiple values found, typically an hardware configuration
# change
[Generate NMON Inventory Lookup Table]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize = 0
auto_summarize.dispatch.earliest_time =
cron_schedule = 0 * * * *
description = Generation of NMON Inventory Lookup Table
dispatch.earliest_time = -48h
dispatch.latest_time = now
dispatch.ttl = 3600 # Keep 1 hour this job artifact
display.events.fields = ["host","source","sourcetype","hostname"]
display.events.type = raw
display.general.type = statistics
display.statistics.drilldown = none
display.statistics.rowNumbers = 1
display.visualizations.chartHeight = 420
display.visualizations.charting.chart = line
display.visualizations.charting.chart.style = minimal
display.visualizations.show = 0
display.visualizations.type = singlevalue
enableSched = 1
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
schedule_window = 15
search = | `nmon_inventory_update`\
| append\
[ | inputlookup nmon_inventory ]\
| where OStype!="NA"\
| eval _time=strptime(reporting_date, "%m/%d/%Y %H:%M"), limit=relative_time(now(), "-30d@d")\
| where _time>=limit\
| stats latest(*) as "*" by hostname\
| fields - _time,limit\
| outputlookup nmon_inventory | stats count
#############################################################
# NMON frameID mapping
#############################################################
# Update the frameID mapping KVstore collection
# This report runs every hour by default, in addition it will also run on Splunk startup to ensure
# we populate the collection if required to prevent the frameID field from being null if not complete (this affects only SPL searches, not searches against data models)
[Generate NMON frameID mapping lookup table]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 * * * *
description = This scheduled report will update the frameID mapping KVstore collection
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.statistics.drilldown = none
display.visualizations.chartHeight = 524
display.visualizations.charting.chart = line
display.visualizations.show = 0
display.visualizations.type = singlevalue
enableSched = 1
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
schedule_window = 5
run_on_startup = true
search = | mcatalog values(serialnum) as serials where `nmon_metrics_index` metric_name=os.unix.nmon.cpu.cpu_all.logical_cpus by host\
| rename serials as serialnum\
| lookup nmon_frameID_mapping host as host OUTPUT frameID\
| eval frameID=if(isnull(frameID), serialnum, frameID)\
| fields frameID, serialnum, host\
| lookup nmon_frameID_mapping serialnum AS serialnum, host as host OUTPUT host_description as host_description\
| fillnull value="none"\
| fields frameID,serialnum,host,host_description\
| search NOT [ | inputlookup nmon_frameID_mapping | fields host ]\
| outputlookup nmon_frameID_mapping append=t key_field=_key\
| stats count
#############################################################
# NMON Baseline
#############################################################
# These reports will generate the Nmon baseline and store results in nmon_baseline KV Store collections
# By default, schedules runs every sunday starting at midnight
[Generate NMON Baseline KV Collection for CPU_ALL]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 0 * * 0
dispatch.earliest_time = -3mon@d
dispatch.latest_time = @d
dispatch.ttl = 3600 # Keep 1 hour this job artifact
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.enablePreview = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 563
display.visualizations.charting.chart = line
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
schedule_window = 60
search = | mstats avg(_value) as value where `nmon_metrics_index` (metric_name=os.unix.nmon.cpu.cpu_all.Sys_PCT OR metric_name=os.unix.nmon.cpu.cpu_all.User_PCT OR metric_name=os.unix.nmon.cpu.cpu_all.Wait_PCT) by metric_name, host span=5m\
| `def_cpu_load_percent`\
| `mapping_frameID`\
| rename host as hostname\
| fields _time, frameID, hostname, cpu_load_percent\
| where isnotnull(cpu_load_percent)\
| eval date_wday=lower(strftime('_time', "%A")), local_time=strftime('_time', "%H%M")\
| stats perc05(cpu_load_percent) AS lower_baseline_avg_cpu, avg(cpu_load_percent) AS baseline_avg_cpu, perc95(cpu_load_percent) AS upper_baseline_avg_cpu by date_wday,local_time,frameID,hostname\
| foreach *baseline* [ eval <<FIELD>> = round(<<FIELD>>, 2) ]\
| eval ID=frameID + "_" + hostname + "_" + date_wday + "_" + local_time | table ID, date_wday, local_time, frameID, hostname, *\
| eval _key=ID\
| outputlookup nmon_baseline_CPU_ALL | stats count
[Generate NMON Baseline KV Collection for LPAR]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 1 * * 0
dispatch.earliest_time = -3mon@d
dispatch.latest_time = @d
dispatch.ttl = 3600 # Keep 1 hour this job artifact
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.enablePreview = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 563
display.visualizations.charting.chart = line
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
schedule_window = 60
search = | mstats avg(_value) as value where `nmon_metrics_index` metric_name=os.unix.nmon.cpu.lpar.* by OStype, metric_name, host span=5m\
| `def_all_os_lpar_load_and_pool_load_cores`\
| `mapping_frameID`\
| rename host AS hostname\
| fields _time, frameID, hostname, lpar_load_cores, lpar_pool_vp_usage\
| where isnotnull(lpar_load_cores)\
| eval date_wday=lower(strftime('_time', "%A")), local_time=strftime('_time', "%H%M")\
| stats\
perc05(lpar_load_cores) AS lower_baseline_avg_vp_usage, avg(lpar_load_cores) AS baseline_avg_vp_usage, perc95(lpar_load_cores) AS upper_baseline_avg_vp_usage,\
perc05(lpar_pool_vp_usage) AS lower_baseline_avg_pool_usage, avg(lpar_pool_vp_usage) AS baseline_avg_pool_usage, perc95(lpar_pool_vp_usage) AS upper_baseline_avg_pool_usage,\
by date_wday,local_time,frameID,hostname\
| foreach *baseline* [ eval <<FIELD>> = round(<<FIELD>>, 2) ] \
| eval ID=frameID + "_" + hostname + "_" + date_wday + "_" + local_time | fields ID, date_wday, local_time, frameID, hostname, *\
| eval _key=ID\
| outputlookup nmon_baseline_LPAR | stats count
[Generate NMON Baseline KV Collection for MEM]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 2 * * 0
dispatch.earliest_time = -3mon@d
dispatch.latest_time = @d
dispatch.ttl = 3600 # Keep 1 hour this job artifact
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.enablePreview = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 563
display.visualizations.charting.chart = line
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
schedule_window = 60
search = | mstats avg(_value) as value where `nmon_metrics_index` `def_memory_all_os_metric_filters` by OStype, metric_name, host span=5m\
| `def_memory_load_percent`\
| `mapping_frameID`\
| rename host AS hostname\
| fields _time, frameID, hostname, mem_used_effective_PCT, swap_used_effective_PCT\
| where isnotnull(mem_used_effective_PCT)\
| eval date_wday=lower(strftime('_time', "%A")), local_time=strftime('_time', "%H%M")\
| stats\
perc05(mem_used_effective_PCT) AS lower_baseline_avg_real_mem, avg(mem_used_effective_PCT) AS baseline_avg_real_mem, perc95(mem_used_effective_PCT) AS upper_baseline_avg_real_mem,\
perc05(swap_used_effective_PCT) AS lower_baseline_avg_virtual_mem, avg(swap_used_effective_PCT) AS baseline_avg_virtual_mem, perc95(swap_used_effective_PCT) AS upper_baseline_avg_virtual_mem,\
by date_wday,local_time,frameID,hostname\
| foreach *baseline* [ eval <<FIELD>> = round(<<FIELD>>, 2) ]\
| outputlookup nmon_baseline_MEM | stats count
[Generate NMON Baseline KV Collection for DISKXFER]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 3 * * 0
dispatch.earliest_time = -3mon@d
dispatch.latest_time = @d
dispatch.ttl = 3600 # Keep 1 hour this job artifact
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.enablePreview = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 563
display.visualizations.charting.chart = line
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
schedule_window = 60
search = | mstats avg(_value) as value where `nmon_metrics_index` metric_name=os.unix.nmon.storage.diskxfer OR metric_name=os.unix.nmon.storage.dgxfer by metric_name, host span=1m\
| `extract_metrics`\
| eval diskxfer_iops=case(metric_name=="os.unix.nmon.storage.diskxfer", value), dgxfer_iops=case(metric_name=="os.unix.nmon.storage.dgxfer", value)\
| stats max(diskxfer_iops) as diskxfer_iops, max(dgxfer_iops) as dgxfer_iops by _time, host\
| eval iops=if(isnum(dgxfer_iops), dgxfer_iops, diskxfer_iops)\
| bucket _time span=5m\
| stats avg(iops) as iops by _time, host\
| `mapping_frameID`\
| rename host AS hostname\
| where isnotnull(iops)\
| eval date_wday=lower(strftime('_time', "%A")), local_time=strftime('_time', "%H%M")\
| stats perc05(iops) AS lower_baseline_avg_disk_iops, avg(iops) AS baseline_avg_disk_iops, perc95(iops) AS upper_baseline_avg_disk_iops by date_wday,local_time,frameID,hostname\
| foreach *baseline* [ eval <<FIELD>> = round(<<FIELD>>, 2) ]\
| eval ID=frameID + "_" + hostname + "_" + date_wday + "_" + local_time | fields ID, date_wday, local_time, frameID, hostname, *\
| eval _key=ID\
| outputlookup nmon_baseline_DISKXFER | stats count
####################################################################
# Number of notable events in data processing and collect
####################################################################
[Number of notable events in Data Processing or Data Collect since last 24 Hours]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize = 1
auto_summarize.dispatch.earliest_time = -1d@h
dispatch.earliest_time = -24h
dispatch.latest_time = now
dispatch.ttl = 600 # Keep 10m this job artifact
display.general.type = statistics
display.page.search.mode = fast
display.statistics.drilldown = none
display.statistics.rowNumbers = 1
display.visualizations.chartHeight = 420
display.visualizations.charting.chart.style = minimal
display.visualizations.show = 0
display.visualizations.singlevalue.rangeColors = ["0x555","0xf58f39"]
display.visualizations.singlevalue.rangeValues = [0]
display.visualizations.singlevalue.unit = notable events reported
display.visualizations.singlevalue.useColors = 1
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = (eventtype=nmon:processing OR eventtype=nmon:collect error) OR (index=_internal sourcetype=splunkd ERROR ExecProcessor nmon) NOT ("There is no python in" OR "python: not found") | stats count
#############################################################
# NMON Processing Errors
#############################################################
[Errors in NMON Data Processing]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","hostname"]
display.events.type = raw
display.statistics.drilldown = none
display.statistics.rowNumbers = 1
display.visualizations.chartHeight = 420
display.visualizations.charting.chart = line
display.visualizations.charting.chart.style = minimal
display.visualizations.show = 0
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = eventtype=nmon:processing error
#############################################################
# NMON Collect Errors
#############################################################
[Errors in NMON Data Collect]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","hostname"]
display.events.type = raw
display.statistics.drilldown = none
display.statistics.rowNumbers = 1
display.visualizations.chartHeight = 420
display.visualizations.charting.chart = line
display.visualizations.charting.chart.style = minimal
display.visualizations.show = 0
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = eventtype=nmon:collect error
#############################################################
# NMON Collect Activity
#############################################################
[Activity of NMON Data Collect]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","hostname"]
display.events.type = raw
display.general.type = statistics
display.statistics.drilldown = none
display.statistics.rowNumbers = 1
display.visualizations.chartHeight = 420
display.visualizations.charting.chart = line
display.visualizations.charting.chart.style = minimal
display.visualizations.show = 0
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = eventtype=nmon:collect | table _time,host,_raw | rename _raw as event
#############################################################
# NMON Processing Activity
#############################################################
[Activity of NMON Data Processing]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","hostname"]
display.events.type = raw
display.general.type = statistics
display.statistics.drilldown = none
display.statistics.rowNumbers = 1
display.visualizations.chartHeight = 420
display.visualizations.charting.chart = line
display.visualizations.charting.chart.style = minimal
display.visualizations.show = 0
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = eventtype=nmon:processing | stats values(hostname) As "hostname (Nmon host)", values(_raw) As event by _time,host | rename host As "host (collecter)" | sort - _time
#############################################################
# NMON Activity - Splunkd events
#############################################################
[Activity of NMON - Splunkd events]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","hostname"]
display.events.type = raw
display.statistics.drilldown = none
display.statistics.rowNumbers = 1
display.visualizations.chartHeight = 420
display.visualizations.charting.chart.style = minimal
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = index=_internal sourcetype=splunkd nmon *Processor
#############################################################
# NMON Report Inventory
#############################################################
[NMON Inventory Solaris]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
display.events.fields = ["host","source","sourcetype","hostname"]
display.events.type = raw
display.general.type = statistics
display.statistics.drilldown = none
display.statistics.rowNumbers = 1
display.visualizations.chartHeight = 420
display.visualizations.charting.chart = line
display.visualizations.charting.chart.style = minimal
display.visualizations.show = 0
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | inputlookup nmon_inventory | search OStype=Solaris\
| fields hostname,OStype,Solaris_sunOS_version,Solaris_version,cpu_cores,Processor,Solaris_processor_clockspeed,Physical_mem_MB,Virtual_mem_MB,nmon_version,uptime_duration,system_startup_date,reporting_date
[NMON Inventory Linux]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
display.events.fields = ["host","source","sourcetype","hostname"]
display.events.type = raw
display.general.type = statistics
display.statistics.drilldown = none
display.statistics.rowNumbers = 1
display.visualizations.chartHeight = 420
display.visualizations.charting.chart = line
display.visualizations.charting.chart.style = minimal
display.visualizations.show = 0
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | inputlookup nmon_inventory | search OStype=Linux\
| fields hostname,OStype,cpu_cores,Processor,Physical_mem_MB,Virtual_mem_MB,Linux_distribution,Linux_kernelversion,nmon_version,uptime_duration,system_startup_date,reporting_date
[NMON Inventory AIX]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
display.events.fields = ["host","source","sourcetype","hostname"]
display.events.type = raw
display.general.type = statistics
display.statistics.drilldown = none
display.statistics.rowNumbers = 1
display.visualizations.chartHeight = 420
display.visualizations.charting.chart = line
display.visualizations.charting.chart.style = minimal
display.visualizations.show = 0
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | inputlookup nmon_inventory | search OStype=AIX\
| fields hostname,OStype,AIX_Machine_SerialNumber,AIX_LEVEL,AIX_virtualcpus,AIX_logicalcores,AIX_entitled,Processor,Physical_mem_MB,Virtual_mem_MB,AIX_processor_mode,AIX_processor_clockspeed,AIX_cpu_type,AIX_kernel_type,AIX_plateform_firmware_level,nmon_version,AIX_PoolID,AIX_system_installed_CPUs,AIX_system_active_CPUs,AIX_PoolCPUs,uptime_duration,system_startup_date,reporting_date
#############################################################
# NMON Alerting
#############################################################
[NMON - file-systems under saturation]
action.email = 0
action.email.include.trigger_time = 1
action.email.inline = 1
action.email.priority = 2
action.email.reportServerEnabled = 0
action.email.sendresults = 0
action.email.useNSSubject = 1
alert.digest_mode = 0
alert.severity = 4
alert.suppress = 1
alert.suppress.fields = fs_uuid
alert.suppress.period = 60m
alert.track = 1
counttype = number of events
cron_schedule = */5 * * * *
description = This alert will trigger hosts having a file-system under a superior saturation to the alert level configured for a duration higher or equal to the minimum configured consecutive time in seconds. (applicable for all OS)
dispatch.earliest_time = -60m
dispatch.latest_time = now
dispatch.ttl = 600 # Keep 10m this job artifact
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 571
display.visualizations.charting.chart = bar
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
schedule_window = 5
search = | `alerting_filesystem_usage`
[NMON - physical memory usage saturation]
action.email = 0
action.email.include.trigger_time = 1
action.email.inline = 1
action.email.priority = 2
action.email.reportServerEnabled = 0
action.email.sendresults = 0
action.email.useNSSubject = 1
alert.digest_mode = 0
alert.severity = 4
alert.suppress = 1
alert.suppress.fields = frameID,host
alert.suppress.period = 60m
alert.track = 1
counttype = number of events
cron_schedule = */5 * * * *
description = This alert will trigger hosts having a physical memory usage superior to the alert level configured for a duration higher or equal to the minimum configured consecutive time in seconds. (applicable for all OS)
dispatch.earliest_time = -60m
dispatch.latest_time = now
dispatch.ttl = 600 # Keep 10m this job artifact
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 571
display.visualizations.charting.chart = bar
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
schedule_window = 5
search = | `alerting_realmemory_usage`
[NMON - virtual usage saturation]
action.email = 0
action.email.include.trigger_time = 1
action.email.inline = 1
action.email.priority = 2
action.email.reportServerEnabled = 0
action.email.sendresults = 0
action.email.useNSSubject = 1
alert.digest_mode = 0
alert.severity = 4
alert.suppress = 1
alert.suppress.fields = frameID,host
alert.suppress.period = 60m
alert.track = 1
counttype = number of events
cron_schedule = 1-59/5 * * * *
description = This alert will trigger hosts having a virtual memory usage superior to the alert level configured for a duration higher or equal to the minimum configured consecutive time in seconds. (applicable for all OS)
dispatch.earliest_time = -60m
dispatch.latest_time = now
dispatch.ttl = 600 # Keep 10m this job artifact
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 571
display.visualizations.charting.chart = bar
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
schedule_window = 5
search = | `alerting_virtualmemory_usage`
[NMON - cpu usage saturation]
action.email = 0
action.email.include.trigger_time = 1
action.email.inline = 1
action.email.priority = 2
action.email.reportServerEnabled = 0
action.email.sendresults = 0
action.email.useNSSubject = 1
alert.digest_mode = 0
alert.severity = 4
alert.suppress = 1
alert.suppress.fields = frameID,host
alert.suppress.period = 60m
alert.track = 1
counttype = number of events
cron_schedule = 2-59/5 * * * *
dispatch.ttl = 600 # Keep 10m this job artifact
description = This alert will trigger hosts having a cpu usage superior to the alert level configured for a duration higher or equal to the minimum configured consecutive time in seconds. (applicable for all OS)
dispatch.earliest_time = -60m
dispatch.latest_time = now
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 571
display.visualizations.charting.chart = bar
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
schedule_window = 5
search = | `alerting_cpu_usage`
#############################################################
# Indexes stats
#############################################################
[Dates of first and last event within indexes]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 565
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = pivot
search = | `indexes_datestats` | eval summary='First Event' . " - " . 'Last Event' | fields summary
#############################################################
# TA-NMON Agent Reporting
#############################################################
[Add-on version per host]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 565
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = pivot
search = | pivot metricator-nmon-processing NMON_Processing latest(addon_type) AS "addon_type" latest(addon_version) AS "addon_version" latest(_time) AS "latest_time" SPLITROW host AS host SORT 0 host ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1\
| eval addon_version = if(isnotnull(addon_version), addon_version, "previous_to_1.2.45"), addon_type = if(isnotnull(addon_type), addon_type, "Undefined")
[TA-metricator package deployment reporting (requires _internal access)]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.visualizations.chartHeight = 577
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = index="_internal" sourcetype="splunkd" source="*/splunkd.log" "DeployedApplication - Installing app=*nmon*"
[List of interpreter and interpreter versions per host]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 577
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | pivot metricator-nmon-processing NMON_Processing last(converter_inuse) AS "Type of coverter in use (last known value)" last(interpreter_version) AS "Version of Interpreter (last known value)" SPLITROW _time AS _time\
PERIOD minute SPLITROW hostname AS hostname SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1 | dedup hostname "Type of coverter in use (last known value)" "Version of Interpreter (last known value)" | fields - _time
[TA-metricator package deployment reporting over time (requires _internal access)]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.chartHeight = 577
display.visualizations.charting.chart.overlayFields = Nbr_of_deployment_actions
display.visualizations.charting.legend.placement = top
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = index=_internal sourcetype=splunkd "DeployedApplication - Installing app=*nmon*" | timechart span=1d dc(host) AS Number_hosts_deployed count AS Nbr_of_deployment_actions
[Universal Forwarders Configuration Report]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 534
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = index=_internal source=*metrics.log group=tcpin_connections version=* | eval hostname=if(isnull(hostname), sourceHost,hostname)\
| stats latest(sourceIp) AS sourceIp, latest(os) AS os, latest(version) AS version, latest(fwdType) AS fwdType, latest(arch) AS arch by hostname
################
# ALERT CENTER #
################
#### CPU ####
[ALERT CENTER - Number of active CPU alerts]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = now
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.chartHeight = 534
display.visualizations.charting.chart = line
display.visualizations.singlevalue.afterLabel =
display.visualizations.singlevalue.drilldown = all
display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"]
display.visualizations.singlevalue.rangeValues = [0]
display.visualizations.singlevalue.underLabel = cpu saturation
display.visualizations.singlevalue.unit = cpu active alerts
display.visualizations.singlevalue.useColors = 1
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = index=_audit action=alert_fired action=alert_fired ss_name="NMON - cpu usage saturation" ss_app="metricator-for-nmon" earliest="-60m" latest="now" | stats count AS count | rangemap field=count low=0-0 default=high
[ALERT CENTER - Search historical CPU alerts]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 534
display.visualizations.charting.chart = line
display.visualizations.singlevalue.afterLabel =
display.visualizations.singlevalue.drilldown = all
display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"]
display.visualizations.singlevalue.rangeValues = [0]
display.visualizations.singlevalue.underLabel = cpu saturation
display.visualizations.singlevalue.unit = cpu active alerts
display.visualizations.singlevalue.useColors = 1
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | `alerting_cpu_usage`
[ALERT CENTER - CPU issues]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.chartHeight = 534
display.visualizations.charting.chart = line
display.visualizations.singlevalue.afterLabel = Host(s) with Potential CPU issue
display.visualizations.singlevalue.underLabel = cpu saturation
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | `alerting_cpu_usage`
[ALERT CENTER - Number of active Real Memory alerts]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = now
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.chartHeight = 534
display.visualizations.charting.chart = line
display.visualizations.singlevalue.afterLabel =
display.visualizations.singlevalue.drilldown = all
display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"]
display.visualizations.singlevalue.rangeValues = [0]
display.visualizations.singlevalue.underLabel = physical memory saturation
display.visualizations.singlevalue.unit = physical memory active alerts
display.visualizations.singlevalue.useColors = 1
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = index=_audit action=alert_fired action=alert_fired ss_name="NMON - physical memory usage saturation" ss_app="metricator-for-nmon" earliest="-60m" latest="now" | stats count AS count | rangemap field=count low=0-0 default=high
[ALERT CENTER - Search historical Real Memory alerts]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 534
display.visualizations.charting.chart = line
display.visualizations.singlevalue.afterLabel =
display.visualizations.singlevalue.drilldown = all
display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"]
display.visualizations.singlevalue.rangeValues = [0]
display.visualizations.singlevalue.underLabel = physical memory saturation
display.visualizations.singlevalue.unit = physical memory active alerts
display.visualizations.singlevalue.useColors = 1
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | `alerting_realmemory_usage`
[ALERT CENTER - Real Memory issues]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.chartHeight = 534
display.visualizations.charting.chart = line
display.visualizations.singlevalue.afterLabel = Host(s) with Potential Memory issue
display.visualizations.singlevalue.underLabel = physical memory saturation
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | `alerting_realmemory_usage`
[ALERT CENTER - Number of active Virtual Memory alerts]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.chartHeight = 534
display.visualizations.charting.chart = line
display.visualizations.singlevalue.afterLabel =
display.visualizations.singlevalue.drilldown = all
display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"]
display.visualizations.singlevalue.rangeValues = [0]
display.visualizations.singlevalue.underLabel = virtual memory saturation
display.visualizations.singlevalue.unit = virtual memory active alerts
display.visualizations.singlevalue.useColors = 1
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = index=_audit action=alert_fired action=alert_fired ss_name="NMON - virtual usage saturation" ss_app="metricator-for-nmon" earliest="-60m" latest="now" | stats count AS count | rangemap field=count low=0-0 default=high
[ALERT CENTER - Search historical Virtual Memory alerts]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 534
display.visualizations.charting.chart = line
display.visualizations.singlevalue.afterLabel =
display.visualizations.singlevalue.drilldown = all
display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"]
display.visualizations.singlevalue.rangeValues = [0]
display.visualizations.singlevalue.underLabel = virtual memory saturation
display.visualizations.singlevalue.unit = virtual memory active alerts
display.visualizations.singlevalue.useColors = 1
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | `alerting_virtualmemory_usage`
[ALERT CENTER - Virtual Memory issues]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.chartHeight = 534
display.visualizations.charting.chart = line
display.visualizations.singlevalue.afterLabel = Host(s) with Potential Virtual Memory issue
display.visualizations.singlevalue.underLabel = virtual memory saturation
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | `alerting_virtualmemory_usage`
[ALERT CENTER - Number of active FS alerts]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = now
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.singlevalue.afterLabel =
display.visualizations.singlevalue.drilldown = all
display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"]
display.visualizations.singlevalue.rangeValues = [0]
display.visualizations.singlevalue.underLabel = file-systems saturation
display.visualizations.singlevalue.unit = file-systems active alerts
display.visualizations.singlevalue.useColors = 1
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = index=_audit action=alert_fired action=alert_fired ss_name="NMON - file-systems under saturation" ss_app="metricator-for-nmon" earliest="-60m" latest="now" | stats count AS count | rangemap field=count low=0-0 default=high
[ALERT CENTER - Search historical FS alerts]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.singlevalue.afterLabel =
display.visualizations.singlevalue.drilldown = all
display.visualizations.singlevalue.rangeColors = ["0x65a637","0xf58f39"]
display.visualizations.singlevalue.rangeValues = [0]
display.visualizations.singlevalue.underLabel = file-systems saturation
display.visualizations.singlevalue.unit = file-systems active alerts
display.visualizations.singlevalue.useColors = 1
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | `alerting_filesystem_usage`
[ALERT CENTER - FS issues]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","type","source","sourcetype"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.chartHeight = 534
display.visualizations.charting.chart = line
display.visualizations.singlevalue.afterLabel = Host(s) with file-system usage in excess
display.visualizations.singlevalue.underLabel = file-system saturation
display.visualizations.type = singlevalue
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | `alerting_filesystem_usage`
#######################
# Various Reports #
#######################
[UPTIME - servers recent reboot (last 60 minutes)]
action.email.useNSSubject = 1
alert.track = 0
description = This report shows servers having rebooted within last 60 minutes
dispatch.earliest_time = -60m
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 606
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | tstats latest("metricator-nmon-config.uptime") AS uptime_seconds, latest("metricator-nmon-config.event_epoch") AS last_report from datamodel=metricator-nmon-config where (nodename = metricator-nmon-config) (sourcetype=nmon_config) by host prestats=true\
| tstats latest("Uptime.uptime") AS external_uptime_seconds latest(Uptime.event_epoch) as external_last_report from datamodel=metricator-nmon-config.Uptime where (nodename = Uptime) (Uptime.uptime = "*") by host append=true prestats=true\
| stats dedup_splitvals=t\
latest("metricator-nmon-config.uptime") AS uptime_seconds, latest("metricator-nmon-config.event_epoch") AS last_report, latest("Uptime.uptime") AS external_uptime_seconds latest(Uptime.event_epoch) as external_last_report by host\
| eval last_known_uptime=if(isnotnull(external_uptime_seconds), external_uptime_seconds, uptime_seconds)\
| eval epoch=if(isnotnull(external_last_report), external_last_report, last_report)\
| eval reporting_date=strftime(epoch, "%m/%d/%Y %H:%M")\
| eval now=now()\
| eval last_known_uptime=(last_known_uptime+(now-epoch))\
| where last_known_uptime<=3600\
| sort host\
| eval "Date of last system startup (mm/dd/Y HH:MM)"=strftime((now()-last_known_uptime), "%m/%d/%Y %H:%M")\
| eval "uptime (human duration)"=tostring(last_known_uptime, "duration")\
| fields host,last_known_uptime,"uptime (human duration)","Date of last system startup (mm/dd/Y HH:MM)",reporting_date | fields - _time\
| rename last_known_uptime AS "uptime (in seconds)", reporting_date AS "Last reporting date (mm/dd/Y HH:MM)"
[Linux OS - Last known uptime by host]
action.email.useNSSubject = 1
alert.track = 0
description = This report shows last known uptime for Linux hosts based on inventory data and nmon external
dispatch.earliest_time = -24h
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 606
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | tstats latest("metricator-nmon-config.uptime") AS uptime_seconds, latest("metricator-nmon-config.event_epoch") AS last_report from datamodel=metricator-nmon-config where (nodename = metricator-nmon-config) (sourcetype=nmon_config) (metricator-nmon-config.OStype = "Linux") by host prestats=true\
| tstats latest("Uptime.uptime") AS external_uptime_seconds latest(Uptime.event_epoch) as external_last_report from datamodel=metricator-nmon-config.Uptime where (nodename = Uptime) (Uptime.OStype = "Linux") (Uptime.uptime = "*") by host append=true prestats=true\
| stats dedup_splitvals=t\
latest("metricator-nmon-config.uptime") AS uptime_seconds, latest("metricator-nmon-config.event_epoch") AS last_report, latest("Uptime.uptime") AS external_uptime_seconds latest(Uptime.event_epoch) as external_last_report by host\
| eval last_known_uptime=if(isnotnull(external_uptime_seconds), external_uptime_seconds, uptime_seconds)\
| eval epoch=if(isnotnull(external_last_report), external_last_report, last_report)\
| eval reporting_date=strftime(epoch, "%m/%d/%Y %H:%M")\
| eval now=now()\
| eval last_known_uptime=(last_known_uptime+(now-epoch))\
| sort host\
| eval "Date of last system startup (mm/dd/Y HH:MM)"=strftime((now()-last_known_uptime), "%m/%d/%Y %H:%M")\
| eval "uptime (human duration)"=tostring(last_known_uptime, "duration")\
| fields host,last_known_uptime,"uptime (human duration)","Date of last system startup (mm/dd/Y HH:MM)",reporting_date | fields - _time\
| rename last_known_uptime AS "uptime (in seconds)", reporting_date AS "Last reporting date (mm/dd/Y HH:MM)"
[AIX OS - Last known uptime by host]
action.email.useNSSubject = 1
alert.track = 0
description = This report shows last known uptime for AIX hosts based on nmon external
dispatch.earliest_time = -24h
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 606
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | tstats latest("metricator-nmon-config.uptime") AS uptime_seconds, latest("metricator-nmon-config.event_epoch") AS last_report from datamodel=metricator-nmon-config where (nodename = metricator-nmon-config) (sourcetype=nmon_config) (metricator-nmon-config.OStype = "AIX") by host prestats=true\
| tstats latest("Uptime.uptime") AS external_uptime_seconds latest(Uptime.event_epoch) as external_last_report from datamodel=metricator-nmon-config.Uptime where (nodename = Uptime) (Uptime.OStype = "AIX") (Uptime.uptime = "*") by host append=true prestats=true\
| stats dedup_splitvals=t\
latest("metricator-nmon-config.uptime") AS uptime_seconds, latest("metricator-nmon-config.event_epoch") AS last_report, latest("Uptime.uptime") AS external_uptime_seconds latest(Uptime.event_epoch) as external_last_report by host\
| eval last_known_uptime=if(isnotnull(external_uptime_seconds), external_uptime_seconds, uptime_seconds)\
| eval epoch=if(isnotnull(external_last_report), external_last_report, last_report)\
| eval reporting_date=strftime(epoch, "%m/%d/%Y %H:%M")\
| eval now=now()\
| eval last_known_uptime=(last_known_uptime+(now-epoch))\
| sort host\
| eval "Date of last system startup (mm/dd/Y HH:MM)"=strftime((now()-last_known_uptime), "%m/%d/%Y %H:%M")\
| eval "uptime (human duration)"=tostring(last_known_uptime, "duration")\
| fields host,last_known_uptime,"uptime (human duration)","Date of last system startup (mm/dd/Y HH:MM)",reporting_date | fields - _time\
| rename last_known_uptime AS "uptime (in seconds)", reporting_date AS "Last reporting date (mm/dd/Y HH:MM)"
[Linux OS - filesystems utilization reporting]
action.email.useNSSubject = 1
alert.track = 0
description = This report shows filesystems utilization statistics for Linux hosts based on DF nmon external metrics
dispatch.earliest_time = -24h
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 606
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | mstats latest(_value) as value where `nmon_metrics_index` metric_name="os.unix.nmon.storage.df_storage.*" OStype=Linux host=* by host, metric_name, dimension_mount\
| eval Available=case(metric_name=="os.unix.nmon.storage.df_storage.Available", value), Use_pct=case(metric_name=="os.unix.nmon.storage.df_storage.Use_pct", value), Used=case(metric_name=="os.unix.nmon.storage.df_storage.Used", value), blocks=case(metric_name=="os.unix.nmon.storage.df_storage.blocks", value)\
| stats first(Available) as Available, first(Use_pct) as Use_pct, first(Used) as Used, first(blocks) as blocks by host, dimension_mount\
| rename dimension_mount as mount\
| eval storage_free=blocks-Used, storage_free_percent=(100-Use_pct)\
| rename Use_pct as storage_used_percent, blocks as storage, Used as storage_used, Available as storage_free\
| foreach storage, storage_free, storage_used [ eval <<FIELD>> = round('<<FIELD>>'/1024/1024, 2) ]\
| foreach storage*percent [ eval <<FIELD>> = round('<<FIELD>>', 2) ]\
| rename storage as "storage (GB)", storage_free as "storage free (GB)", storage_used as "storage used (GB)", storage_free_percent as "storage free (%)", storage_used_percent as "storage used (%)"\
| eval UsedPct=if(isnum('storage used (%)'), 'storage used (%)', 0 )\
| fields host, mount, "storage (GB)", "storage free (GB)", "storage used (GB)", "storage free (%)", "storage used (%)", UsedPct\
| appendpipe [ stats sum("storage (GB)") as "storage (GB)", sum("storage free (GB)") as "storage free (GB)", sum("storage used (GB)") as "storage used (GB)" ]\
| eval "storage free (%)" = if(isnull('storage free (%)'), (('storage free (GB)'/'storage (GB)')*100), 'storage free (%)'), "storage used (%)" = if(isnull('storage used (%)'), (('storage used (GB)'/'storage (GB)')*100), 'storage used (%)'), UsedPct = if(isnull(UsedPct), 'storage used (%)', UsedPct)\
| fillnull value="*** TOTAL GB / AVERAGE % ****" mount\
| foreach storage*%* UsedPct [ eval <<FIELD>> = round('<<FIELD>>', 2) ]
[AIX OS - filesystems utilization reporting]
action.email.useNSSubject = 1
alert.track = 0
description = This report shows filesystems utilization statistics for AIX hosts based on inventory data
dispatch.earliest_time = -24h
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 606
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | mstats latest(_value) as value where `nmon_metrics_index` metric_name="os.unix.nmon.storage.df_storage.*" OStype=AIX host=* by host, metric_name, dimension_mount\
| eval Available=case(metric_name=="os.unix.nmon.storage.df_storage.Available", value), Use_pct=case(metric_name=="os.unix.nmon.storage.df_storage.Use_pct", value), Used=case(metric_name=="os.unix.nmon.storage.df_storage.Used", value), blocks=case(metric_name=="os.unix.nmon.storage.df_storage.blocks", value)\
| stats first(Available) as Available, first(Use_pct) as Use_pct, first(Used) as Used, first(blocks) as blocks by host, dimension_mount\
| rename dimension_mount as mount\
| eval storage_free=blocks-Used, storage_free_percent=(100-Use_pct)\
| rename Use_pct as storage_used_percent, blocks as storage, Used as storage_used, Available as storage_free\
| foreach storage, storage_free, storage_used [ eval <<FIELD>> = round('<<FIELD>>'/1024/1024, 2) ]\
| foreach storage*percent [ eval <<FIELD>> = round('<<FIELD>>', 2) ]\
| rename storage as "storage (GB)", storage_free as "storage free (GB)", storage_used as "storage used (GB)", storage_free_percent as "storage free (%)", storage_used_percent as "storage used (%)"\
| eval UsedPct=if(isnum('storage used (%)'), 'storage used (%)', 0 )\
| fields host, mount, "storage (GB)", "storage free (GB)", "storage used (GB)", "storage free (%)", "storage used (%)", UsedPct\
| appendpipe [ stats sum("storage (GB)") as "storage (GB)", sum("storage free (GB)") as "storage free (GB)", sum("storage used (GB)") as "storage used (GB)" ]\
| eval "storage free (%)" = if(isnull('storage free (%)'), (('storage free (GB)'/'storage (GB)')*100), 'storage free (%)'), "storage used (%)" = if(isnull('storage used (%)'), (('storage used (GB)'/'storage (GB)')*100), 'storage used (%)'), UsedPct = if(isnull(UsedPct), 'storage used (%)', UsedPct)\
| fillnull value="*** TOTAL GB / AVERAGE % ****" mount\
| foreach storage*%* UsedPct [ eval <<FIELD>> = round('<<FIELD>>', 2) ]
[Solaris OS - filesystems utilization reporting]
action.email.useNSSubject = 1
alert.track = 0
description = This report shows filesystems utilization statistics for Solaris hosts based on inventory data
dispatch.earliest_time = -24h
dispatch.latest_time = now
display.events.fields = ["host","hostname","type","source","sourcetype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.chartHeight = 606
display.visualizations.show = 0
request.ui_dispatch_app = metricator-for-nmon
request.ui_dispatch_view = search
search = | mstats latest(_value) as value where `nmon_metrics_index` metric_name="os.unix.nmon.storage.df_storage.*" OStype=Solaris host=* by host, metric_name, dimension_mount\
| eval Available=case(metric_name=="os.unix.nmon.storage.df_storage.Available", value), Use_pct=case(metric_name=="os.unix.nmon.storage.df_storage.Use_pct", value), Used=case(metric_name=="os.unix.nmon.storage.df_storage.Used", value), blocks=case(metric_name=="os.unix.nmon.storage.df_storage.blocks", value)\
| stats first(Available) as Available, first(Use_pct) as Use_pct, first(Used) as Used, first(blocks) as blocks by host, dimension_mount\
| rename dimension_mount as mount\
| eval storage_free=blocks-Used, storage_free_percent=(100-Use_pct)\
| rename Use_pct as storage_used_percent, blocks as storage, Used as storage_used, Available as storage_free\
| foreach storage, storage_free, storage_used [ eval <<FIELD>> = round('<<FIELD>>'/1024/1024, 2) ]\
| foreach storage*percent [ eval <<FIELD>> = round('<<FIELD>>', 2) ]\
| rename storage as "storage (GB)", storage_free as "storage free (GB)", storage_used as "storage used (GB)", storage_free_percent as "storage free (%)", storage_used_percent as "storage used (%)"\
| eval UsedPct=if(isnum('storage used (%)'), 'storage used (%)', 0 )\
| fields host, mount, "storage (GB)", "storage free (GB)", "storage used (GB)", "storage free (%)", "storage used (%)", UsedPct\
| appendpipe [ stats sum("storage (GB)") as "storage (GB)", sum("storage free (GB)") as "storage free (GB)", sum("storage used (GB)") as "storage used (GB)" ]\
| eval "storage free (%)" = if(isnull('storage free (%)'), (('storage free (GB)'/'storage (GB)')*100), 'storage free (%)'), "storage used (%)" = if(isnull('storage used (%)'), (('storage used (GB)'/'storage (GB)')*100), 'storage used (%)'), UsedPct = if(isnull(UsedPct), 'storage used (%)', UsedPct)\
| fillnull value="*** TOTAL GB / AVERAGE % ****" mount\
| foreach storage*%* UsedPct [ eval <<FIELD>> = round('<<FIELD>>', 2) ]
Reference in new issue View Git Blame Copy Permalink