| inputlookup service_kpi_lookup | fields _key title | rename _key as itsi_service_id | search [ search earliest=-7d latest=now index=itsi_summary itsi_kpi_id!=SHKPI* | stats values(alert_value) as alert_value by itsi_service_id | eval alert_value=mvjoin(alert_value,",") | search alert_value=N/A | fields itsi_service_id ]
0 comments
[0]
[0]
[0]
[0]
| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/service fields="title,_key,kpis"
| spath input=value path={} output=svcs | mvexpand svcs
| fields - value
| spath input=svcs path=kpis{} output=kpis
| spath input=svcs path=title output=service_title
| spath input=svcs path=kpis{} output=kpi | fields - svcs, kpis
| mvexpand kpi
| spath input=kpi path=search_type output=search_type
| spath input=kpi path=type output=type
| spath input=kpi path=title output=kpi_title
| spath input=kpi path=base_search output=base_search
| spath input=kpi path=base_search_id output=base_search_id
| spath input=kpi path=_key output=search_id
| search type!=service_health
| fields service_title kpi_title search_type base_search_id search_id base_search
0 comments
[0]
[0]
[0]
[0]
| mstats avg(_value) as avgValue WHERE metric_name="LogicalDisk.*" AND index=em_metrics span=auto by metric_name, host, instance | eval metric_name=metric_name."_".instance, avgValue=avgValue."host".host | xyseries _time metric_name avgValue | rename LogicalDisk.* as *, %_* as perc_*, *: as * | foreach * [ | rex field=<<FIELD>> "(?P<<FIELD>>.+)host(?P<host>.+)$" ]
0 comments
[0]
[0]
[0]
[0]
| mstats avg(_value) as avgValue WHERE metric_name="Memory.*" AND "index"="em_metrics" span=auto by metric_name, host | eval avgValue=avgValue."host".host | xyseries _time metric_name avgValue | rename Memory.* as *, %* as *, */sec as *_per_sec | foreach * [ | rex field=<<FIELD>> "(?P<<<FIELD>>>.+)host(?P<host>.+)$" ]
0 comments
[0]
[0]
[0]
[0]
| mstats avg(_value) as avgValue WHERE metric_name="Processor.%_Processor_Time" OR metric_name="Processor.%_Idle_Time" AND "index"="em_metrics" span=auto by metric_name, host | eval avgValue=avgValue."host".host | xyseries _time metric_name avgValue | rename Processor.%_* as perc_* | foreach perc_* [ | rex field=<<FIELD>> "(?P<<<FIELD>>>.+)host(?P<host>.+)$" ]
0 comments
[0]
[0]
[0]
[0]
(index=windows OR index=perfmon OR index=os) sourcetype=perfmonMK:LogicalDisk instance!=_Total instance!=Harddisk* | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), true(),Free_Megabytes), FreePct-{instance}=storage_free_percent,FreeMB-{instance}=Free_Megabytes
0 comments
[0]
[0]
[0]
[0]
| rest splunk_server=local /services/server/info | table host host_fqdn host_resolved
0 comments
[0]
[0]
[0]
[0]
| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local | rename eai:* as *, acl.* as * | eval updated=strptime(updated,"%Y-%m-%dT%H:%M:%S%Z"), updated=if(isnull(updated),"Never",strftime(updated,"%d %b %Y"))| sort type | stats list(title) as title, list(type) as type, list(orphaned) as orphaned, list(sharing) as sharing, list(owner) as owner, list(updated) as updated by app
0 comments
[0]
[0]
[0]
[0]
| rest /services/server/status/partitions-space | eval diskFree=tostring(round(free/capacity,4)*100)."%", capacityGB=round(capacity/1024,2), freeGB=round(free/2014,2) | table splunk_server, mount_point, freeGB, capacityGB, diskFree | rename splunk_server as "Splunk Server", mount_point as "Mount Point", diskFree as "Disk Free (%)", freeGB as "Disk Free (GB)", capacityGB as "Capacity (GB)"
0 comments
[0]
[0]
[0]
[0]
| rest /services/authentication/users | stats values(roles) as Roles by title | rename title as User
0 comments
[0]
[0]
[0]
[0]