admingit
/
Splunk_Deploiement
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '51dc098a0a'
${ noResults }
Splunk_Deploiement/apps/trackme/local/savedsearches.conf

146 lines
8.3 KiB
Raw Blame History

[trackme_dsm_data_sampling_tracker_tenant_1]
cron_schedule = 3-59/20 22-23,0-6 * * *
description = TrackMe DSM Data Sampling tracker
dispatch.earliest_time = -24h
dispatch.latest_time = -4h
enableSched = True
schedule_window = 5
search = | trackmesamplingexecutor tenant_id="1"
[trackme_dsm_outliers_mltrain_tracker_tenant_1]
cron_schedule = 4 22-23,0-6 * * *
description = This scheduled report generate and trains Machine Learning models for the tenant
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = True
schedule_window = 5
search = | trackmesplkoutlierstrainhelper tenant_id="1" component="dsm"
[trackme_dsm_outliers_mlmonitor_tracker_tenant_1]
cron_schedule = 3-59/20 * * * *
description = This scheduled report monitors Machine Learning models for the tenant
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = True
schedule_window = 5
search = | trackmesplkoutlierstrackerhelper tenant_id="1" component="dsm" allow_auto_train="True"
[trackme_dsm_adaptive_delay_tracker_tenant_1]
cron_schedule = 1-59/20 * * * *
description = This scheduled report manages adaptive delay tresholds for TrackMe
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = True
schedule_window = 5
search = | trackmesplkadaptivedelay tenant_id="1" component="dsm" min_delay_sec=3600 min_historical_metrics_days=7 earliest_time_mstats="-30d" max_runtime=900 max_auto_delay_sec=604800 max_changes_past_7days=10 review_period_no_days=30 max_sla_percentage=90
[trackme_dsm_delayed_entities_inspector_tracker_tenant_1]
cron_schedule = 13-59/20 * * * *
description = This scheduled report manages delayed entities in the dsm component
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = True
schedule_window = 5
search = | trackmesplkfeedsdelayedinspector tenant_id="1" component="dsm" max_runtime=900
[trackme_health_tracker_tenant_1]
cron_schedule = 2-57/5 * * * *
description = This scheduled report tracks health status for the tenant
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = True
schedule_window = 5
search = | trackmetrackerhealth tenant_id="1"
[trackme_ack_expiration_tracker]
disabled = 0
[trackme_maintenance_mode_tracker]
disabled = 0
[trackme_backup_scheduler]
disabled = 0
[trackme_general_health_manager]
disabled = 0
[trackme_dsm_priority_tracker_tenant_1]
cron_schedule = 10-59/15 * * * *
description = This scheduled report applies and maintains priority policies for the splk-dsm component
dispatch.earliest_time = -5m
dispatch.latest_time = now
schedule_window = 5
search = | trackmesplkpriority tenant_id="1" component=dsm
[trackme_dsm_tags_tracker_tenant_1]
cron_schedule = 10-59/15 * * * *
description = This scheduled report applies and maintains tags policies for the splk-dsm component
dispatch.earliest_time = -5m
dispatch.latest_time = now
schedule_window = 5
search = | trackmesplktags tenant_id="1" component="dsm"
[trackme_dsm_sla_tracker_tenant_1]
cron_schedule = 10-59/15 * * * *
description = This scheduled report applies and maintains sla policies for the splk-dsm component
dispatch.earliest_time = -5m
dispatch.latest_time = now
schedule_window = 5
search = | trackmesplkslaclass tenant_id="1" component=dsm
[trackme_dsm_shared_elastic_tracker_tenant_1]
cron_schedule = */5 * * * *
description = TrackMe DSM shared elastic tracker
dispatch.earliest_time = -4h
dispatch.latest_time = +4h
schedule_window = 5
search = | trackmeelasticexecutor tenant_id="1" component="splk-dsm"
[trackme_dsm_hybrid_abstract_tracker-lj1rhqp_tenant_1]
description = TrackMe abstract hybrid root tracker
dispatch.earliest_time = -4h
dispatch.latest_time = +4h
enableSched = False
search = | tstats max(_indextime) as data_last_ingest, min(_time) as data_first_time_seen, max(_time) as data_last_time_seen, count as data_eventcount, dc(host) as host where `trackme_dsm_hybrid_root_constraint_tracker-lj1rhqp_tenant_1` _index_earliest="-4h" _index_latest="+4h" by _time,index,sourcetype span=30s\
| eval data_last_ingestion_lag_seen=data_last_ingest-data_last_time_seen\
``` intermediate calculation ```\
| bucket _time span=1m\
| stats avg(data_last_ingestion_lag_seen) as data_last_ingestion_lag_seen, max(data_last_ingest) as data_last_ingest, min(data_first_time_seen) as data_first_time_seen, max(data_last_time_seen) as data_last_time_seen, sum(data_eventcount) as data_eventcount, max(host) as dcount_host by _time,index,sourcetype\
| eval spantime=data_last_ingest | eventstats max(data_last_time_seen) as data_last_time_seen, max(dcount_host) as global_dcount_host by index,sourcetype | eval spantime=if(spantime>=(now()-300), spantime, null())\
| eventstats sum(data_eventcount) as eventcount_5m, avg(data_last_ingestion_lag_seen) as latency_5m, avg(dcount_host) as dcount_host_5m by spantime,index,sourcetype\
| stats sum(eventcount_5m) as latest_eventcount_5m, avg(eventcount_5m) as avg_eventcount_5m, stdev(eventcount_5m) as stdev_eventcount_5m, perc95(eventcount_5m) as perc95_eventcount_5m, latest(latency_5m) as latest_latency_5m, avg(latency_5m) as avg_latency_5m, stdev(latency_5m) as stdev_latency_5m, perc95(latency_5m) as perc95_latency_5m, latest(dcount_host_5m) as latest_dcount_host_5m, avg(dcount_host_5m) as avg_dcount_host_5m, stdev(dcount_host_5m) as stdev_dcount_host_5m, perc95(dcount_host_5m) as perc95_dcount_host_5m, max(data_last_ingest) as data_last_ingest, min(data_first_time_seen) as data_first_time_seen, max(data_last_time_seen) as data_last_time_seen, avg(data_last_ingestion_lag_seen) as data_last_ingestion_lag_seen, sum(data_eventcount) as data_eventcount, first(global_dcount_host) as global_dcount_host by index,sourcetype | eval dcount_host=round(global_dcount_host, 0)\
| eval data_last_ingestion_lag_seen=round(data_last_ingestion_lag_seen, 0) | rename index as data_index, sourcetype as data_sourcetype | eval object=data_index . ":" . data_sourcetype\
``` tenant_id ```\
| eval tenant_id="1"\
``` call the abstract macro ```\
`trackme_dsm_tracker_abstract(1, tstats)`
[trackme_dsm_hybrid_tracker-lj1rhqp_wrapper_tenant_1]
description = TrackMe hybrid wrapper
dispatch.earliest_time = -4h
dispatch.latest_time = +4h
enableSched = False
search = | savedsearch "trackme_dsm_hybrid_abstract_tracker-lj1rhqp_tenant_1"\
\
``` collects latest collection state into the summary index ```\
| `trackme_collect_state("current_state_tracking:splk-dsm:1", "object", "1")`\
\
``` output flipping change status if changes ```\
| trackmesplkgetflipping tenant_id="1" object_category="splk-dsm"\
```Generate splk outliers rules```\
| `set_splk_outliers_rules(1, dsm)`\
| `trackme_outputlookup(trackme_dsm_tenant_1, key)`\
| where splk_dsm_is_online="true"\
| `trackme_mcollect(object, splk-dsm, "metric_name:trackme.splk.feeds.avg_eventcount_5m=avg_eventcount_5m, metric_name:trackme.splk.feeds.latest_eventcount_5m=latest_eventcount_5m, metric_name:trackme.splk.feeds.perc95_eventcount_5m=perc95_eventcount_5m, metric_name:trackme.splk.feeds.stdev_eventcount_5m=stdev_eventcount_5m, metric_name:trackme.splk.feeds.avg_latency_5m=avg_latency_5m, metric_name:trackme.splk.feeds.latest_latency_5m=latest_latency_5m, metric_name:trackme.splk.feeds.perc95_latency_5m=perc95_latency_5m, metric_name:trackme.splk.feeds.avg_dcount_host_5m=avg_dcount_host_5m, metric_name:trackme.splk.feeds.latest_dcount_host_5m=latest_dcount_host_5m, metric_name:trackme.splk.feeds.perc95_dcount_host_5m=perc95_dcount_host_5m, metric_name:trackme.splk.feeds.stdev_dcount_host_5m=stdev_dcount_host_5m, metric_name:trackme.splk.feeds.global_dcount_host=global_dcount_host, metric_name:trackme.splk.feeds.stdev_latency_5m=stdev_latency_5m, metric_name:trackme.splk.feeds.eventcount_4h=data_eventcount, metric_name:trackme.splk.feeds.hostcount_4h=dcount_host, metric_name:trackme.splk.feeds.lag_event_sec=data_last_lag_seen, metric_name:trackme.splk.feeds.lag_ingestion_sec=data_last_ingestion_lag_seen", "tenant_id, object_category, object", "1")`\
| stats count as report_entities_count, values(object) as report_objects_list by tenant_id\
| `register_tenant_component_summary(1, dsm)`
[trackme_dsm_hybrid_tracker-lj1rhqp_tracker_tenant_1]
cron_schedule = 1-56/5 * * * *
description = TrackMe hybrid tracker
dispatch.earliest_time = -4h
dispatch.latest_time = +4h
enableSched = True
schedule_window = 5
search = | trackmetrackerexecutor tenant_id="1" component="splk-dsm" report="trackme_dsm_hybrid_tracker-lj1rhqp_wrapper_tenant_1" alert_no_results=True
Reference in new issue View Git Blame Copy Permalink