admingit
/
Splunk_deploy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'bf0075621d'
${ noResults }
Splunk_deploy/deployment-apps/UFMA/default/macros.conf

57 lines
4.4 KiB
Raw Blame History

[deployment_server_detail(2)]
args = deployment_server, hostname
definition = rest /services/deployment/server/clients splunk_server=$deployment_server$ | rename splunk_server as deployment_server | eval sourceHost = if( isnull(sourceDomain), hostname, sourceHost ) | eval sourceHost = upper(sourceHost) | rex field=utsname "(?<os>[^\-]+)\-(?<arch>.+)" | eval os = case( os = "linux", "Linux", os = "windows", "Windows" ) | fields - utsname hostname | rename sourceHost as hostname | search hostname=$hostname$
iseval = 0
[forwarder_assets]
definition = index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=* `exclude_hosts`\
| eval dest_uri = host.":".destPort | stats values(fwdType) as forwarder_type, latest(version) as version, values(arch) as arch, dc(dest_uri) as dest_count, values(os) as os, max(_time) as last_connected, sum(kb) as new_sum_kb, sparkline(avg(tcp_KBps), 1m) as new_avg_tcp_kbps_sparkline, avg(tcp_KBps) as new_avg_tcp_kbps, avg(tcp_eps) as new_avg_tcp_eps by guid, hostname\
| append\
[search index=_internal sourcetype=stream:stats host=* senders{}.streamForwarderGroups{}=* \
| rename senders{}.streamForwarderId as streamfwdId \
| rename senders{}.id as guid \
| eventstats sum(senders{}.streams{}.delta_events) as events by streamfwdId \
| eventstats range(_time) as timeRange \
| eval arch = systemType \
| eval os = osName \
| eval phoneHome=time()-_time \
| eval eventsPerSecond=round(events/(timeRange),2) \
| rename sniffer.captures{}.bitsPerSecond as bps \
| eventstats sum(bps) as bitsPerSecond by _time \
| eventstats sum(bps) as sumBitsPerSecond by streamfwdId \
| eventstats count as numStreamStats by streamfwdId \
| eval avgKBsPerSecond=round(sumBitsPerSecond/numStreamStats/8000,2) \
| eval sum_kb=round(sumBitsPerSecond/8000,2) \
| rename senders{}.lastErrorCode as senderErrorCode sniffer.lastErrorCode as snifferErrorCode senders{}.running as sendersRunning sniffer.running as snifferRunning netflow.running as netflowRunning \
| eval latestTime=if(isnum(rt),rt,now()) \
| eval errorStatus=if((senderErrorCode==0) AND (snifferErrorCode==0),0,1) \
| eval warningStatus=if((sendersRunning=="true") AND (snifferRunning=="true"),0,1) \
| eval inactiveStatus=if(_time > relative_time(latestTime,"-10M"),0,1) \
| eval idleStatus=if(_time > relative_time(latestTime,"-2M"),0,1) \
| eval forwarder_type="stream" \
| eval phoneHome=time()-phoneHome \
| eval status=case(inactiveStatus==1, "inactive", errorStatus==1, "error", warningStatus==1, "warning", idleStatus==1, "idle", errorStatus==0 AND warningStatus==0, "active") \
| chart latest(host) as "hostname" latest(guid) as "guid" latest(forwarder_type) as "forwarder_type" latest(versionNumber) as "version" latest(arch) as "arch" latest(os) as "os" latest(phoneHome) as "last_connected" dc(splunk_server) as dest_count latest(status) as "status" latest(sum_kb) as "new_sum_kb" sparkline(avg(bitsPerSecond/8000),1m) as “new_avg_tcp_kbps_sparkline” latest(avgKBsPerSecond) as "new_avg_tcp_kbps" latest(eventsPerSecond) as "new_avg_tcp_eps" by host \
| fields - host]\
| eval hostname = upper(hostname)
iseval = 0
[deployment_server_assets(1)]
args = deployment_server
definition = | rest /services/deployment/server/clients splunk_server=$deployment_server$ | rename splunk_server as deployment_server | fields averagePhoneHomeInterval build clientName hostname lastPhoneHomeTime updated utsname deployment_server | eval sourceHost = if( isnull(sourceDomain), hostname, sourceHost ) | eval sourceHost = upper(sourceHost) | rex field=utsname "(?<os>[^\-]+)\-(?<arch>.+)" | eval os = case( os = "linux", "Linux", os = "windows", "Windows" ) | fields - utsname hostname | rename sourceHost as hostname | table hostname os arch version build clientName averagePhoneHomeInterval lastPhoneHomeTime deployment_server
iseval = 0
[deployment_server_applications(1)]
args = deployment_server
definition = rest /services/deployment/server/applications splunk_server=$deployment_server$
iseval = 0
[deployment_server_serverclasses(1)]
args = deployment_server
definition = rest /services/deployment/server/serverclasses splunk_server=$deployment_server$
iseval = 0
[exclude_hosts]
definition = (hostname!="example-host1" hostname!="example-host2")
iseval = 0
Reference in new issue View Git Blame Copy Permalink