You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
434 lines
16 KiB
434 lines
16 KiB
[Alerte - CPU utilisée par Search Head]
|
|
action.email = 1
|
|
action.email.inline = 1
|
|
action.email.sendresults = 1
|
|
action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$
|
|
action.email.to = jocelyn-j-externe.pamphile@edf.fr
|
|
action.lookup = 0
|
|
action.lookup.append = 1
|
|
action.lookup.filename = Alert_cpu.csv
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 168h
|
|
alert.severity = 4
|
|
alert.suppress = 1
|
|
alert.suppress.period = 2h
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.events.type = table
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.type = singlevalue
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = gestion_des_alertes
|
|
request.ui_dispatch_view = search
|
|
search = index="_introspection" sourcetype=splunk_resource_usage host=*LOGPUB* component="Hostwide"\
|
|
| fields host, "data.cpu_idle_pct"\
|
|
| eval cpu = 100 - 'data.cpu_idle_pct'\
|
|
| table host, cpu\
|
|
| lookup seuil_ram_sh.csv host OUTPUT seuil \
|
|
| where cpu > seuil\
|
|
| rename cpu as "Utilisation CPU", seuil as "Seuil d'alerte"\
|
|
| fields host, "Utilisation CPU", "Seuil d'alerte"
|
|
|
|
[Alerte - CPU utilisée par indexeur]
|
|
action.email = 1
|
|
action.email.inline = 1
|
|
action.email.sendresults = 1
|
|
action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$
|
|
action.email.to = jocelyn-j-externe.pamphile@edf.fr
|
|
action.lookup = 0
|
|
action.lookup.append = 1
|
|
action.lookup.filename = Alert_cpu.csv
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 168h
|
|
alert.severity = 4
|
|
alert.suppress = 1
|
|
alert.suppress.period = 2h
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.events.type = table
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.type = singlevalue
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = gestion_des_alertes
|
|
request.ui_dispatch_view = search
|
|
search = index="_introspection" sourcetype=splunk_resource_usage host=*LOGIDX* component="Hostwide"\
|
|
| dedup host\
|
|
| fields host, "data.cpu_idle_pct"\
|
|
| eval cpu = 100 - 'data.cpu_idle_pct'\
|
|
| table host, cpu\
|
|
| lookup seuil_cpu_idx.csv host OUTPUT seuil \
|
|
| where cpu > seuil\
|
|
| rename cpu as "Utilisation CPU", seuil as "Seuil d'alerte"\
|
|
| fields host, "Utilisation CPU", "Seuil d'alerte"
|
|
|
|
[Alerte - CPU utilisée par Forwarder]
|
|
action.email = 1
|
|
action.email.inline = 1
|
|
action.email.sendresults = 1
|
|
action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$
|
|
action.email.to = jocelyn-j-externe.pamphile@edf.fr
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 168h
|
|
alert.severity = 5
|
|
alert.suppress = 1
|
|
alert.suppress.period = 2h
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
search = index="_introspection" sourcetype=splunk_resource_usage host=*LOGSUPP* component="Hostwide"\
|
|
| eval cpu = 100 - 'data.cpu_idle_pct'\
|
|
| table host, cpu\
|
|
| lookup seuil_cpu_fwd.csv host OUTPUT seuil \
|
|
| where cpu > seuil\
|
|
| rename cpu as "Utilisation CPU", seuil as "Seuil d'alerte"\
|
|
| fields host, "Utilisation CPU", "Seuil d'alerte"
|
|
|
|
[Alerte - Espace disque du file systeme par Forwarder]
|
|
action.email = 1
|
|
action.email.inline = 1
|
|
action.email.sendresults = 1
|
|
action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$
|
|
action.email.to = jocelyn-j-externe.pamphile@edf.fr
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 168h
|
|
alert.severity = 4
|
|
alert.suppress = 1
|
|
alert.suppress.period = 7d
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.events.type = table
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.type = singlevalue
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = search
|
|
request.ui_dispatch_view = search
|
|
search = | rest splunk_server=*LOGSUPP* /services/server/status/partitions-space/0\
|
|
| eval free = if(isnotnull(available), available, free)\
|
|
| eval usage = round((capacity - free) / 1024, 2)\
|
|
| eval capacity = round(capacity / 1024, 2)\
|
|
| eval pct_usage = round(usage / capacity * 100, 2)\
|
|
| fields splunk_server, pct_usage, usage\
|
|
| rename splunk_server as host\
|
|
| lookup seuil_fsh_fwd.csv host OUTPUT seuil\
|
|
| where pct_usage >=seuil\
|
|
| rename pct_usage AS "Pourcentage d'usage du FS hypervision", usage AS "FS utilisé en GO", seuil as "Seuil définie"
|
|
|
|
[Alerte - Espace disque du file systeme par Search Head]
|
|
action.email = 1
|
|
action.email.inline = 1
|
|
action.email.sendresults = 1
|
|
action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$
|
|
action.email.to = jocelyn-j-externe.pamphile@edf.fr
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 168h
|
|
alert.severity = 4
|
|
alert.suppress = 1
|
|
alert.suppress.period = 7d
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = Monitoring_des_instances
|
|
request.ui_dispatch_view = search
|
|
search = | rest splunk_server=*LOGPUB* /services/server/status/partitions-space/\
|
|
| eval free = if(isnotnull(available), available, free)\
|
|
| eval usage = round((capacity - free) / 1024, 2)\
|
|
| eval capacity = round(capacity / 1024, 2)\
|
|
| eval pct_usage = round(usage / capacity * 100, 2)\
|
|
| fields splunk_server, pct_usage, usage\
|
|
| rename splunk_server as host\
|
|
| lookup seuil_fsh_sh.csv host OUTPUT seuil\
|
|
| where pct_usage >=seuil\
|
|
| rename pct_usage AS "Pourcentage d'usage du FS hypervision", usage AS "FS utilisé en GO", seuil as "Seuil définie"
|
|
|
|
[Alerte - Espace disque du file systeme par indexeur]
|
|
action.email = 1
|
|
action.email.inline = 1
|
|
action.email.sendresults = 1
|
|
action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$
|
|
action.email.to = jocelyn-j-externe.pamphile@edf.fr
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 168h
|
|
alert.severity = 4
|
|
alert.suppress = 1
|
|
alert.suppress.period = 7d
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.events.type = table
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.type = singlevalue
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = search
|
|
request.ui_dispatch_view = search
|
|
search = | rest splunk_server=*LOGIDX* /services/server/status/partitions-space/0\
|
|
| eval free = if(isnotnull(available), available, free)\
|
|
| eval usage = round((capacity - free) / 1024, 2)\
|
|
| eval capacity = round(capacity / 1024, 2)\
|
|
| eval pct_usage = round(usage / capacity * 100, 2)\
|
|
| fields splunk_server, pct_usage, usage\
|
|
| rename splunk_server as host\
|
|
| lookup seuil_fsh_idx.csv host OUTPUT seuil\
|
|
| where pct_usage >=seuil\
|
|
| rename pct_usage AS "Pourcentage d'usage du FS hypervision", usage AS "FS utilisé en GO", seuil as "Seuil définie"
|
|
|
|
[Alerte - Espace disque file data par indexeur]
|
|
action.email = 1
|
|
action.email.include.trigger_time = 1
|
|
action.email.inline = 1
|
|
action.email.sendresults = 1
|
|
action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$
|
|
action.email.to = jocelyn-j-externe.pamphile@edf.fr
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 168h
|
|
alert.severity = 4
|
|
alert.suppress = 1
|
|
alert.suppress.period = 7d
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.events.type = table
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.type = singlevalue
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = search
|
|
request.ui_dispatch_view = search
|
|
search = | rest splunk_server=*LOGIDX* /services/server/status/partitions-space/1\
|
|
| eval free = if(isnotnull(available), available, free)\
|
|
| eval usage = round((capacity - free) / 1024, 2)\
|
|
| eval capacity = round(capacity / 1024, 2)\
|
|
| eval pct_usage = round(usage / capacity * 100, 2)\
|
|
| fields splunk_server, pct_usage, usage\
|
|
| rename splunk_server as host\
|
|
| lookup seuil_fsd_idx.csv host OUTPUT seuil\
|
|
| where pct_usage >=seuil\
|
|
| rename pct_usage AS "Pourcentage d'usage du FS hypervision", usage AS "FS utilisé en GO", seuil as "Seuil définie"
|
|
|
|
[Alerte - RAM utilisée par Forwarder]
|
|
action.email = 1
|
|
action.email.inline = 1
|
|
action.email.sendresults = 1
|
|
action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$
|
|
action.email.to = jocelyn-j-externe.pamphile@edf.fr
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 48h
|
|
alert.severity = 5
|
|
alert.suppress = 1
|
|
alert.suppress.period = 2d
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
search = index="_introspection" sourcetype=splunk_resource_usage host=*LOGSUPP* component="Hostwide"\
|
|
| eval use_mem= round(100 *'data.mem_used' / 'data.mem', 2)\
|
|
| table host, use_mem\
|
|
| lookup seuil_ram_fwd.csv host OUTPUT seuil \
|
|
| where use_mem > seuil\
|
|
| dedup host\
|
|
| rename use_mem as "Utilisation de la RAM", seuil as "Seuil d'alerte"\
|
|
| fields host, "Utilisation de la RAM", "Seuil d'alerte"
|
|
|
|
[Alerte - RAM utilisée par Search Head]
|
|
action.email = 1
|
|
action.email.inline = 1
|
|
action.email.sendresults = 1
|
|
action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$
|
|
action.email.to = jocelyn-j-externe.pamphile@edf.fr
|
|
action.lookup = 0
|
|
action.lookup.append = 1
|
|
action.lookup.filename = Alert_cpu.csv
|
|
action.webhook.enable_allowlist = 0
|
|
alert.digest_mode = 0
|
|
alert.expires = 48h
|
|
alert.severity = 4
|
|
alert.suppress = 0
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.events.type = table
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.type = singlevalue
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = gestion_des_alertes
|
|
request.ui_dispatch_view = search
|
|
search = index="_introspection" sourcetype=splunk_resource_usage host=*LOGPUB* component="Hostwide"\
|
|
| eval use_mem= round(100 *'data.mem_used' / 'data.mem', 2)\
|
|
| table host, use_mem\
|
|
| lookup seuil_ram_sh.csv host OUTPUT seuil \
|
|
| where use_mem > seuil\
|
|
| rename use_mem as "Utilisation de la RAM", seuil as "Seuil d'alerte"\
|
|
| fields host, "Utilisation de la RAM", "Seuil d'alerte"
|
|
|
|
[Alerte - RAM utilisée par indexeur]
|
|
action.email = 1
|
|
action.email.inline = 1
|
|
action.email.sendresults = 1
|
|
action.email.subject = [HYPERVISION][PRODUCTION]Splunk Alert: $name$
|
|
action.email.to = jocelyn-j-externe.pamphile@edf.fr
|
|
action.lookup = 0
|
|
action.lookup.append = 1
|
|
action.lookup.filename = Alert_cpu.csv
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 128h
|
|
alert.severity = 4
|
|
alert.suppress = 1
|
|
alert.suppress.period = 2h
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.events.type = table
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.type = singlevalue
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = gestion_des_alertes
|
|
request.ui_dispatch_view = search
|
|
search = index="_introspection" sourcetype=splunk_resource_usage host=*LOGIDX* component="Hostwide"\
|
|
| eval use_mem= round(100 *'data.mem_used' / 'data.mem', 2)\
|
|
| table host, use_mem\
|
|
| lookup seuil_ram_idx.csv host OUTPUT seuil \
|
|
| where use_mem > seuil\
|
|
| rename use_mem as "Utilisation de la RAM", seuil as "Seuil d'alerte"\
|
|
| fields host, "Utilisation de la RAM", "Seuil d'alerte"
|
|
|
|
[Alerte - Indexes internes Hypervision non alimentés]
|
|
action.email = 1
|
|
action.email.inline = 1
|
|
action.email.message.alert = Alerte :\
|
|
Un des indexes internes Hypervision n'a pas été alimenté pour la période définie pour cet index.
|
|
action.email.sendresults = 1
|
|
action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$
|
|
action.email.to = jocelyn-j-externe.pamphile@edf.fr
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 7d
|
|
alert.severity = 4
|
|
alert.suppress = 1
|
|
alert.suppress.period = 48h
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 6-20 * * 1-5
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
search = | union [\
|
|
| REST /services/data/indexes search="isInternal=0 AND isReady=1"\
|
|
| regex title=".*_?(bloques|statuts)_?.*"\
|
|
| regex title!=".*_rec_crm_ar_?.*"\
|
|
| regex title!="dgfip_?.*"\
|
|
| regex title!="bloc3_bloques*"\
|
|
| stats max(maxTime) as maxTime by title\
|
|
| eval _time=strptime(maxTime,"%Y-%m-%dT%H:%M:%S") , delta = now()-_time\
|
|
| where delta > 172800\
|
|
]\
|
|
[\
|
|
| REST /services/data/indexes search="isInternal=0 AND isReady=1"\
|
|
| regex title=".*_?(bloques|statuts)_?.*"\
|
|
| regex title!=".*_rec_crm_ar_?.*"\
|
|
| regex title="dgfip_?.*"\
|
|
| regex title="synthese"\
|
|
| stats max(maxTime) as maxTime by title\
|
|
| eval _time=strptime(maxTime,"%Y-%m-%dT%H:%M:%S") , delta = now()-_time\
|
|
| where delta > 259200\
|
|
]\
|
|
| eval delta = tostring(floor(delta/86400))+"j "+tostring(floor((delta%86400)/3600))+"h "+tostring(floor((delta%86400)%3600/60))+"m "+tostring(floor((delta%86400)%3600%60))+"s", _time = strftime(_time, "%Y-%m-%d %T")\
|
|
| rename delta as "pas de données depuis", title as index, _time as "date du dernier évènement"\
|
|
| fields - maxTime
|
|
|
|
[Alerte - Indexes non alimentés par les partenaires]
|
|
action.email.inline = 1
|
|
action.email.sendresults = 1
|
|
action.email = 1
|
|
action.email.message.alert = Alerte :\
|
|
Un des indexes des partenaires Hypervision n'a pas été alimenté pour la période définie pour cet index.
|
|
action.email.subject = [PRODUCTION][HYPERVISION] Splunk Alert: $name$
|
|
action.email.to = jocelyn-j-externe.pamphile@edf.fr
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 168h
|
|
alert.suppress = 1
|
|
alert.suppress.period = 4h
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 6-20 * * 1-5
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
search = | union [\
|
|
| REST /services/data/indexes search="isInternal=0 AND isReady=1"\
|
|
| regex title="^[^_]*_{0}$"\
|
|
| where NOT title IN ("idx_tic*", "idx_tin*", "idx_tih*", "idx_tit*", "idx_tia*")\
|
|
| stats max(maxTime) as maxTime by title\
|
|
| eval _time=strptime(maxTime,"%Y-%m-%dT%H:%M:%S") , delta = now()-_time\
|
|
| where delta > 7200\
|
|
],\
|
|
[\
|
|
| REST /services/data/indexes search="isInternal=0 AND isReady=1"\
|
|
| where title IN ("idx_tic*", "idx_tin*", "idx_tih*", "idx_tit*", "idx_tia*")\
|
|
| stats max(maxTime) as maxTime by title\
|
|
| eval _time=strptime(maxTime,"%Y-%m-%dT%H:%M:%S") , delta = now()-_time\
|
|
| where delta > 86400\
|
|
]\
|
|
| eval delta = tostring(floor(delta/86400))+"j "+tostring(floor((delta%86400)/3600))+"h "+tostring(floor((delta%86400)%3600/60))+"m "+tostring(floor((delta%86400)%3600%60))+"s", _time = strftime(_time, "%Y-%m-%d %T")\
|
|
| rename delta as "pas de données depuis", title as index, _time as "date du dernier évènement"\
|
|
| fields - maxTime |