admingit
/
Splunk_Deploiement
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '835d839383'
${ noResults }
Splunk_Deploiement/apps/trackme/lib/flx_library/splk_hosts_tracking.json

12 lines
3.3 KiB
Raw Blame History

{
"uc_ref": "splk_hosts_tracking",
"uc_vendor": "Splunk",
"uc_description": "Simple hosts monitoring for Splunk, this use case provides a basic tracking of hosts forwarding to Splunk and triggers when a given host has not sent data effectively during a certain period of time",
"uc_category": "splunk_data_collection",
"uc_earliest": "-2h",
"uc_latest": "+4h",
"uc_cron": "*/5 * * * *",
"uc_replacements": "tenant_id:mytenant,group:mygroup",
"uc_metrics": "delay_event_sec,delta_ingest_time",
"uc_search": "| tstats count, max(_time) as last_event_time, max(_indextime) as last_ingest_time where index=* host=* host!=\"\" _index_earliest=\"-30m\" _index_latest=\"now\" by index, sourcetype, host\n| stats values(index) as index, values(sourcetype) as sourcetype, first(last_event_time) as last_event_time, first(last_ingest_time) as last_ingest_time, first(count) as count by host\n\n| eval object_description = \"{\\\"indexes\\\": \\\"\" . mvjoin(index, \",\") . \"\\\", \\\"sourcetypes\\\": \\\"\" . mvjoin(sourcetype, \",\") . \"\\\", \\\"last_event_time\\\": \" . last_ingest_time . \", \\\"last_ingest_time\\\": \" . last_ingest_time . \"}\"\n\n| rename host as object | eval alias=object\n\n| eval group = \"mygroup\"\n| eval object = group . \":\" . object\n| eval keyid = sha256(object)\n\n| fields keyid, group, object, object_description, alias\n\n| inputlookup append=t trackme_flx_tenant_mytenant where group=\"mygroup\"\n| eval keyid=coalesce(keyid, _key)\n| spath input=object_description\n| eval indexes=split(indexes, \",\"), sourcetypes=split(sourcetypes, \",\")\n\n| stats values(indexes) as indexes, values(sourcetypes) as sourcetypes, first(last_event_time) as last_event_time, first(last_ingest_time) as last_ingest_time, first(alias) as alias by group, keyid, object\n\n| eval delta_event_time=now()-last_event_time, delta_ingest_time=now()-last_ingest_time\n| eval status=case(\ndelta_event_time<-600, 3,\n1=1, 1\n)\n\n| eval default_threshold = \"{'metric_name': 'splunk_host.delay_event_sec', 'operator': '<', 'value': 86400, 'condition_true': 1}\"\n\n| eval object_description = \"{\\\"indexes\\\": \\\"\" . mvjoin(mvsort(indexes), \",\") . \"\\\", \\\"sourcetypes\\\": \\\"\" . mvjoin(mvsort(sourcetypes), \",\") . \"\\\", \\\"last_event_time\\\": \" . last_ingest_time . \", \\\"last_ingest_time\\\": \" . last_ingest_time . \"}\"\n\n| eval status_description = case(\nstatus=1, \"{\\\"status\\\": \\\"online\\\", \\\"last_event\\\": \\\"\" . strftime(last_event_time, \"%c\") . \"\\\", \\\"last_indexed\\\": \\\"\" . strftime(last_ingest_time, \"%c\") . \"\\\"}\",\nstatus=3, \"{\\\"status\\\": \\\"future\\\", \\\"last_event\\\": \\\"\" . strftime(last_event_time, \"%c\") . \"\\\", \\\"last_indexed\\\": \\\"\" . strftime(last_ingest_time, \"%c\") . \"\\\"}\",\nstatus=2, \"{\\\"status\\\": \\\"offline\\\", \\\"last_event\\\": \\\"\" . strftime(last_event_time, \"%c\") . \"\\\", \\\"last_indexed\\\": \\\"\" . strftime(last_ingest_time, \"%c\") . \"\\\"}\"\n)\n\n| eval metrics = \"{\\\"splunk_host.delay_event_sec\\\": \" . delta_event_time . \", \\\"splunk_host.delta_ingest_time\\\": \" . delta_ingest_time . \"}\"\n\n| eval disruption_min_time_sec = 3600\n\n``` set default metric ```\n| eval default_metric=\"splunk_host.delay_event_sec\"\n\n| eval max_sec_inactive=604800"
}
Reference in new issue View Git Blame Copy Permalink