[Alerte - CPU utilisée par Search Head] action.email = 1 action.email.inline = 1 action.email.sendresults = 1 action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$ action.email.to = jocelyn-j-externe.pamphile@edf.fr action.lookup = 0 action.lookup.append = 1 action.lookup.filename = Alert_cpu.csv action.webhook.enable_allowlist = 0 alert.expires = 168h alert.severity = 4 alert.suppress = 1 alert.suppress.period = 2h alert.track = 1 counttype = number of events cron_schedule = 0 * * * * dispatch.earliest_time = -1h dispatch.latest_time = now display.events.type = table display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.type = singlevalue enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = gestion_des_alertes request.ui_dispatch_view = search search = index="_introspection" sourcetype=splunk_resource_usage host=*LOGPUB* component="Hostwide"\ | fields host, "data.cpu_idle_pct"\ | eval cpu = 100 - 'data.cpu_idle_pct'\ | table host, cpu\ | lookup seuil_ram_sh.csv host OUTPUT seuil \ | where cpu > seuil\ | rename cpu as "Utilisation CPU", seuil as "Seuil d'alerte"\ | fields host, "Utilisation CPU", "Seuil d'alerte" [Alerte - CPU utilisée par indexeur] action.email = 1 action.email.inline = 1 action.email.sendresults = 1 action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$ action.email.to = jocelyn-j-externe.pamphile@edf.fr action.lookup = 0 action.lookup.append = 1 action.lookup.filename = Alert_cpu.csv action.webhook.enable_allowlist = 0 alert.expires = 168h alert.severity = 4 alert.suppress = 1 alert.suppress.period = 2h alert.track = 1 counttype = number of events cron_schedule = 0 * * * * dispatch.earliest_time = -1h dispatch.latest_time = now display.events.type = table display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.type = singlevalue enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = gestion_des_alertes request.ui_dispatch_view = search search = index="_introspection" sourcetype=splunk_resource_usage host=*LOGIDX* component="Hostwide"\ | dedup host\ | fields host, "data.cpu_idle_pct"\ | eval cpu = 100 - 'data.cpu_idle_pct'\ | table host, cpu\ | lookup seuil_cpu_idx.csv host OUTPUT seuil \ | where cpu > seuil\ | rename cpu as "Utilisation CPU", seuil as "Seuil d'alerte"\ | fields host, "Utilisation CPU", "Seuil d'alerte" [Alerte - CPU utilisée par Forwarder] action.email = 1 action.email.inline = 1 action.email.sendresults = 1 action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$ action.email.to = jocelyn-j-externe.pamphile@edf.fr action.webhook.enable_allowlist = 0 alert.expires = 168h alert.severity = 5 alert.suppress = 1 alert.suppress.period = 2h alert.track = 1 counttype = number of events cron_schedule = 0 * * * * dispatch.earliest_time = -1h dispatch.latest_time = now enableSched = 1 quantity = 0 relation = greater than search = index="_introspection" sourcetype=splunk_resource_usage host=*LOGSUPP* component="Hostwide"\ | eval cpu = 100 - 'data.cpu_idle_pct'\ | table host, cpu\ | lookup seuil_cpu_fwd.csv host OUTPUT seuil \ | where cpu > seuil\ | rename cpu as "Utilisation CPU", seuil as "Seuil d'alerte"\ | fields host, "Utilisation CPU", "Seuil d'alerte" [Alerte - Espace disque du file systeme par Forwarder] action.email = 1 action.email.inline = 1 action.email.sendresults = 1 action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$ action.email.to = jocelyn-j-externe.pamphile@edf.fr action.webhook.enable_allowlist = 0 alert.expires = 168h alert.severity = 4 alert.suppress = 1 alert.suppress.period = 7d alert.track = 1 counttype = number of events cron_schedule = 0 * * * * dispatch.earliest_time = -1h dispatch.latest_time = now display.events.type = table display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.type = singlevalue enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = search request.ui_dispatch_view = search search = | rest splunk_server=*LOGSUPP* /services/server/status/partitions-space/0\ | eval free = if(isnotnull(available), available, free)\ | eval usage = round((capacity - free) / 1024, 2)\ | eval capacity = round(capacity / 1024, 2)\ | eval pct_usage = round(usage / capacity * 100, 2)\ | fields splunk_server, pct_usage, usage\ | rename splunk_server as host\ | lookup seuil_fsh_fwd.csv host OUTPUT seuil\ | where pct_usage >=seuil\ | rename pct_usage AS "Pourcentage d'usage du FS hypervision", usage AS "FS utilisé en GO", seuil as "Seuil définie" [Alerte - Espace disque du file systeme par Search Head] action.email = 1 action.email.inline = 1 action.email.sendresults = 1 action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$ action.email.to = jocelyn-j-externe.pamphile@edf.fr action.webhook.enable_allowlist = 0 alert.expires = 168h alert.severity = 4 alert.suppress = 1 alert.suppress.period = 7d alert.track = 1 counttype = number of events cron_schedule = 0 * * * * dispatch.earliest_time = -1h dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = Monitoring_des_instances request.ui_dispatch_view = search search = | rest splunk_server=*LOGPUB* /services/server/status/partitions-space/\ | eval free = if(isnotnull(available), available, free)\ | eval usage = round((capacity - free) / 1024, 2)\ | eval capacity = round(capacity / 1024, 2)\ | eval pct_usage = round(usage / capacity * 100, 2)\ | fields splunk_server, pct_usage, usage\ | rename splunk_server as host\ | lookup seuil_fsh_sh.csv host OUTPUT seuil\ | where pct_usage >=seuil\ | rename pct_usage AS "Pourcentage d'usage du FS hypervision", usage AS "FS utilisé en GO", seuil as "Seuil définie" [Alerte - Espace disque du file systeme par indexeur] action.email = 1 action.email.inline = 1 action.email.sendresults = 1 action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$ action.email.to = jocelyn-j-externe.pamphile@edf.fr action.webhook.enable_allowlist = 0 alert.expires = 168h alert.severity = 4 alert.suppress = 1 alert.suppress.period = 7d alert.track = 1 counttype = number of events cron_schedule = 0 * * * * dispatch.earliest_time = -1h dispatch.latest_time = now display.events.type = table display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.type = singlevalue enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = search request.ui_dispatch_view = search search = | rest splunk_server=*LOGIDX* /services/server/status/partitions-space/0\ | eval free = if(isnotnull(available), available, free)\ | eval usage = round((capacity - free) / 1024, 2)\ | eval capacity = round(capacity / 1024, 2)\ | eval pct_usage = round(usage / capacity * 100, 2)\ | fields splunk_server, pct_usage, usage\ | rename splunk_server as host\ | lookup seuil_fsh_idx.csv host OUTPUT seuil\ | where pct_usage >=seuil\ | rename pct_usage AS "Pourcentage d'usage du FS hypervision", usage AS "FS utilisé en GO", seuil as "Seuil définie" [Alerte - Espace disque file data par indexeur] action.email = 1 action.email.include.trigger_time = 1 action.email.inline = 1 action.email.sendresults = 1 action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$ action.email.to = jocelyn-j-externe.pamphile@edf.fr action.webhook.enable_allowlist = 0 alert.expires = 168h alert.severity = 4 alert.suppress = 1 alert.suppress.period = 7d alert.track = 1 counttype = number of events cron_schedule = 0 * * * * dispatch.earliest_time = -1h dispatch.latest_time = now display.events.type = table display.general.type = statistics display.page.search.tab = statistics display.visualizations.type = singlevalue enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = search request.ui_dispatch_view = search search = | rest splunk_server=*LOGIDX* /services/server/status/partitions-space/1\ | eval free = if(isnotnull(available), available, free)\ | eval usage = round((capacity - free) / 1024, 2)\ | eval capacity = round(capacity / 1024, 2)\ | eval pct_usage = round(usage / capacity * 100, 2)\ | fields splunk_server, pct_usage, usage\ | rename splunk_server as host\ | lookup seuil_fsd_idx.csv host OUTPUT seuil\ | where pct_usage >=seuil\ | rename pct_usage AS "Pourcentage d'usage du FS hypervision", usage AS "FS utilisé en GO", seuil as "Seuil définie" [Alerte - RAM utilisée par Forwarder] action.email = 1 action.email.inline = 1 action.email.sendresults = 1 action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$ action.email.to = jocelyn-j-externe.pamphile@edf.fr action.webhook.enable_allowlist = 0 alert.expires = 48h alert.severity = 5 alert.suppress = 1 alert.suppress.period = 2d alert.track = 1 counttype = number of events cron_schedule = 0 * * * * dispatch.earliest_time = -1h dispatch.latest_time = now enableSched = 1 quantity = 0 relation = greater than search = index="_introspection" sourcetype=splunk_resource_usage host=*LOGSUPP* component="Hostwide"\ | eval use_mem= round(100 *'data.mem_used' / 'data.mem', 2)\ | table host, use_mem\ | lookup seuil_ram_fwd.csv host OUTPUT seuil \ | where use_mem > seuil\ | dedup host\ | rename use_mem as "Utilisation de la RAM", seuil as "Seuil d'alerte"\ | fields host, "Utilisation de la RAM", "Seuil d'alerte" [Alerte - RAM utilisée par Search Head] action.email = 1 action.email.inline = 1 action.email.sendresults = 1 action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$ action.email.to = jocelyn-j-externe.pamphile@edf.fr action.lookup = 0 action.lookup.append = 1 action.lookup.filename = Alert_cpu.csv action.webhook.enable_allowlist = 0 alert.digest_mode = 0 alert.expires = 48h alert.severity = 4 alert.suppress = 0 alert.track = 1 counttype = number of events cron_schedule = 0 * * * * dispatch.earliest_time = -1h dispatch.latest_time = now display.events.type = table display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.type = singlevalue enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = gestion_des_alertes request.ui_dispatch_view = search search = index="_introspection" sourcetype=splunk_resource_usage host=*LOGPUB* component="Hostwide"\ | eval use_mem= round(100 *'data.mem_used' / 'data.mem', 2)\ | table host, use_mem\ | lookup seuil_ram_sh.csv host OUTPUT seuil \ | where use_mem > seuil\ | rename use_mem as "Utilisation de la RAM", seuil as "Seuil d'alerte"\ | fields host, "Utilisation de la RAM", "Seuil d'alerte" [Alerte - RAM utilisée par indexeur] action.email = 1 action.email.inline = 1 action.email.sendresults = 1 action.email.subject = [HYPERVISION][PRODUCTION]Splunk Alert: $name$ action.email.to = jocelyn-j-externe.pamphile@edf.fr action.lookup = 0 action.lookup.append = 1 action.lookup.filename = Alert_cpu.csv action.webhook.enable_allowlist = 0 alert.expires = 128h alert.severity = 4 alert.suppress = 1 alert.suppress.period = 2h alert.track = 1 counttype = number of events cron_schedule = 0 * * * * dispatch.earliest_time = -1h dispatch.latest_time = now display.events.type = table display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.type = singlevalue enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = gestion_des_alertes request.ui_dispatch_view = search search = index="_introspection" sourcetype=splunk_resource_usage host=*LOGIDX* component="Hostwide"\ | eval use_mem= round(100 *'data.mem_used' / 'data.mem', 2)\ | table host, use_mem\ | lookup seuil_ram_idx.csv host OUTPUT seuil \ | where use_mem > seuil\ | rename use_mem as "Utilisation de la RAM", seuil as "Seuil d'alerte"\ | fields host, "Utilisation de la RAM", "Seuil d'alerte" [Alerte - Indexes internes Hypervision non alimentés] action.email = 1 action.email.inline = 1 action.email.message.alert = Alerte :\ Un des indexes internes Hypervision n'a pas été alimenté pour la période définie pour cet index. action.email.sendresults = 1 action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$ action.email.to = jocelyn-j-externe.pamphile@edf.fr action.webhook.enable_allowlist = 0 alert.expires = 7d alert.severity = 4 alert.suppress = 1 alert.suppress.period = 48h alert.track = 1 counttype = number of events cron_schedule = 0 6-20 * * 1-5 dispatch.earliest_time = -1h dispatch.latest_time = now enableSched = 1 quantity = 0 relation = greater than search = | union [\ | REST /services/data/indexes search="isInternal=0 AND isReady=1"\ | regex title=".*_?(bloques|statuts)_?.*"\ | regex title!=".*_rec_crm_ar_?.*"\ | regex title!="dgfip_?.*"\ | regex title!="bloc3_bloques*"\ | stats max(maxTime) as maxTime by title\ | eval _time=strptime(maxTime,"%Y-%m-%dT%H:%M:%S") , delta = now()-_time\ | where delta > 172800\ ]\ [\ | REST /services/data/indexes search="isInternal=0 AND isReady=1"\ | regex title=".*_?(bloques|statuts)_?.*"\ | regex title!=".*_rec_crm_ar_?.*"\ | regex title="dgfip_?.*"\ | regex title="synthese"\ | stats max(maxTime) as maxTime by title\ | eval _time=strptime(maxTime,"%Y-%m-%dT%H:%M:%S") , delta = now()-_time\ | where delta > 259200\ ]\ | eval delta = tostring(floor(delta/86400))+"j "+tostring(floor((delta%86400)/3600))+"h "+tostring(floor((delta%86400)%3600/60))+"m "+tostring(floor((delta%86400)%3600%60))+"s", _time = strftime(_time, "%Y-%m-%d %T")\ | rename delta as "pas de données depuis", title as index, _time as "date du dernier évènement"\ | fields - maxTime [Alerte - Indexes non alimentés par les partenaires] action.email.inline = 1 action.email.sendresults = 1 action.email = 1 action.email.message.alert = Alerte :\ Un des indexes des partenaires Hypervision n'a pas été alimenté pour la période définie pour cet index. action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$ action.email.to = jocelyn-j-externe.pamphile@edf.fr action.webhook.enable_allowlist = 0 alert.expires = 168h alert.suppress = 1 alert.suppress.period = 4h alert.track = 1 counttype = number of events cron_schedule = 0 6-20 * * 1-5 dispatch.earliest_time = -1h dispatch.latest_time = now enableSched = 1 quantity = 0 relation = greater than search = | union [\ | REST /services/data/indexes search="isInternal=0 AND isReady=1"\ | regex title="^[^_]*_{0}$"\ | where NOT title IN ("idx_tic*", "idx_tin*", "idx_tih*", "idx_tit*", "idx_tia*")\ | stats max(maxTime) as maxTime by title\ | eval _time=strptime(maxTime,"%Y-%m-%dT%H:%M:%S") , delta = now()-_time\ | where delta > 7200\ ],\ [\ | REST /services/data/indexes search="isInternal=0 AND isReady=1"\ | where title IN ("idx_tic*", "idx_tin*", "idx_tih*", "idx_tit*", "idx_tia*")\ | stats max(maxTime) as maxTime by title\ | eval _time=strptime(maxTime,"%Y-%m-%dT%H:%M:%S") , delta = now()-_time\ | where delta > 86400\ ]\ | eval delta = tostring(floor(delta/86400))+"j "+tostring(floor((delta%86400)/3600))+"h "+tostring(floor((delta%86400)%3600/60))+"m "+tostring(floor((delta%86400)%3600%60))+"s", _time = strftime(_time, "%Y-%m-%d %T")\ | rename delta as "pas de données depuis", title as index, _time as "date du dernier évènement"\ | fields - maxTime