We have just started using the IT Essentials App, we are generating alarms based on thresholds being breached, the thresholds only seem to be available when for example a CPU peaks at 90%, what i am looking for is generating an alarm for when CPU peaks at 100% for a period of 10 mins.
Below is my spl, would using time_window = 15m suffice ?
| mstats max(ps_metric.pctCPU) as val WHERE index = em_metrics OR index = itsi_im_metrics by host span=5m
| eval val=100-val
| rename host as host
| eval host="host=".$host$ , id="ta_nix"
| lookup itsi_entities entity_type_ids as id _itsi_identifier_lookups as host OUTPUT _key as entity_key, title, _itsi_informational_lookups as info_lookup, _itsi_identifier_lookups as alias_lookup
| search entity_key != NULL
| eval entity_type="Unix/Linux Add-on"
| eval metric_name="CPU Usage Percent"
| eval itsiSeverity=case(val <= 75, 2, val <= 90 and val > 75, 4, val > 90, 6)
| eval itsiAlert=metric_name." alert for ".entity_type." entity type"
| eval itsiDrilldownURI="/app/itsi/entity_detail?entity_key=".entity_key
| eval itsiInstance=title
| eval entity_title=title
| eval itsiNotableTitle=title
| eval val = round(val, 2)
| eval itsiDetails = metric_name + " current value is " + val
| eval sec_grp=default_itsi_security_group
| eval alert_source="entity_type"
| where IsNull(is_entity_in_maintenance) OR (is_entity_in_maintenance != 1)
| fields - host
... View more
Hi All Hoping someone can help me, I am trying to get the Palo Alto App working we are a Splunk cloud customer and have this app on our search-head When I search for eventype=pan I see the logs but they are NOT reclassified Our set up is we have our Palo Alto firewalls pushing to a syslog server on standard port 514, this data at the moment is currently being ingested as one syslog stream via universal forwarder, where the sourcetype=syslog and index=syslog. In inputs.conf in /opt/splunk/etc/system/local I have configured the below [monitor:///data/rsyslog/10.0.0.1/10.0.0.1.log] index = pan_logs sourcetype = pan:log host_segment = 3 The guide states to configure your TCP outputs in / opt/splunkforwarder/etc/system/local/outputs.conf in this file we have [tcpout] indexAndForward = 1 As a cloud customer we have our company app in root@syslog:/opt/splunk/etc/apps/OUR_COMPANY_APP/default The outputs.conf has but no input file = inputs1.name.splunkcloud.com:9997 , inputs2.name.splunkcloud.com:9997 , inputs3.name.splunkcloud.com:9997 , inputs4.name.splunkcloud.com:9997 , inputs5.name.splunkcloud.com:9997 , inputs6.name.splunkcloud.com:9997 , The input file being used is oot@syslog:/opt/splunk/etc/apps/search/local The PaloAlto app states to add your indexers to Create or modify/opt/splunkforwader/etc/system/local/outputs.conf and add a tcpout stanza: Could I copy over the outputs from root@syslog:/opt/splunk/etc/apps/OUR_COMPANY_APP/default to /opt/splunkforwader/etc/system/local/outputs.conf
... View more
I am trying to split some data into difference source types using a lookup table. I am testing this locally. I have a source type called A and wish to extract fields to source type B. A snippet of my data is below. 4/23/21
23 Fri Apr 23 2021 11:30:29 www1 sshd: Failed password for invalid user SAMPLE123:ABC11:snmp from 10.0.0.1 port 3118 ssh
host = 192.168.1.1
source = /A.log
sourcetype = A props.conf [a]
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
LOOKUP-alookup = lookuptable snmp_trap AS host OUTPUT host AS host_output
TRANSFORMS-changesourcetype = B Transforms.conf [lookuptable]
batch_index_query = 0
case_sensitive_match = 0
filename = lookuptable.csv
max_matches = 1
min_matches = 1 host snmp_poll syslog snmp_trap
10.0.01 SAMPLE123:ABC11:ipfix SAMPLE123:ABC11:snmp_trap SAMPLE123:ABC11:syslog I have achieved similar in the past using Regex to separate source type but having issues doing this via a lookup table Any help appreciated.
... View more