Created
July 13, 2016 14:55
-
-
Save tyzbit/a0369ffa8d782a897dce724f1137d7dd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Plex - Top transcoded media] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = fast | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = area | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = index="main" status=playing | eval newTitle=if(plexType=="episode",show,title) | eval transcoding=if(video_transcoding=="transcode",1,0) | eval direct_play=if(video_transcoding=="transcode",0,1) | stats count by user, date_mday, newTitle, transcoding, direct_play | stats sum(direct_play) as d_play sum(transcoding) as t_play sum(count) as total by newTitle | eval pctTranscoding=(t_play/(d_play+t_play)) | eval orderThis=round(pctTranscoding*total/60,1) | stats sum(orderThis) as "Hours transcoding" by newTitle | sort -"Hours transcoding"| rename newTitle as "Movie/Show" | head 10 | |
| [Plex - Viewing History] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| display.general.type = visualizations | |
| display.page.search.tab = visualizations | |
| display.statistics.show = 0 | |
| display.visualizations.charting.chart = area | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=_json\ | |
| | eval session=user." watching ".if(isnull(show),title,show." (episide title: ".title.")")\ | |
| | timechart span=1m count by session limit=100 | |
| [Plex - Transcoding hours by movie/show] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=_json\ | |
| | bucket _time span=1m\ | |
| | eval media=if(isnull(show),title,show)\ | |
| | eval transcode_effort=if(throttled="true",0,1)\ | |
| | eval transcoding=if(video_transcoding=="transcode",1,0)\ | |
| | eval direct_play=if(video_transcoding=="transcode",0,1)\ | |
| | stats count avg(transcode_effort) as effort by user, date_mday, media, transcoding, direct_play\ | |
| | stats sum(direct_play) as d_play sum(transcoding) as t_play sum(count) as total by media,effort\ | |
| | eval pctTranscoding=(t_play/(d_play+t_play))\ | |
| | eval orderThis=round((pctTranscoding*total/60)*effort,1)\ | |
| | stats sum(orderThis) as "Transcoding Hours" by media\ | |
| | rename media as "Movie/Show"\ | |
| | sort -"Transcoding Hours"\ | |
| | head 10 | |
| [Plex - Users with multiple streams] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = fast | |
| display.page.search.tab = statistics | |
| display.statistics.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=_json\ | |
| | eval media=if(isnull(show),title,show." (episide title: ".title.")")\ | |
| | stats count(media) as number_of_streams by _time,user\ | |
| | where number_of_streams>1\ | |
| | chart max(number_of_streams) as "Max number of streams" by user | |
| [Plex - highest CPU by file] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = fast | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = index=os sourcetype=ps COMMAND=Plex \ | |
| | rex field=ARGS ".*?-i_.*\/media.*\/(?<t_file>.*?)_-(?:filter|map_inline|map_[\d])"\ | |
| | rex field=ARGS "Plug.*\/(?<plugin_name>.*)$"\ | |
| | eval memMB=mem_used/1048576\ | |
| | eval name=if(ARGS LIKE "New_Transcoder%",if(isnull(t_file),"Unknown Video Source",t_file),if(ARGS LIKE "Plug-in%", plugin_name, ARGS))\ | |
| | stats avg(pctCPU) by name \ | |
| | sort -avg(pctCPU) | |
| [qtosw - geolocate ip by domain] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip"] | |
| display.general.type = visualizations | |
| display.page.search.tab = visualizations | |
| display.statistics.show = 0 | |
| display.visualizations.charting.chart = line | |
| display.visualizations.type = mapping | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = host="qtosw.com" sourcetype=access_combined useragent!="Amazon*"\ | |
| | iplocation clientip\ | |
| | geostats count by referer_domain | |
| [Splunk - Last 30 days license usage] | |
| dispatch.earliest_time = -24h | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip"] | |
| display.general.type = visualizations | |
| display.page.search.tab = visualizations | |
| display.statistics.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = index=_internal earliest=-30d source=*license_usage* type=RolloverSummary | bucket _time span=1d | eval MB_vol=b/1024/1024 | timechart span=1d sum(MB_vol) by pool | |
| [Plex - Transcoded streams] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = area | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=_json streamtype="Video: transcode*"\ | |
| | eval media=if(isnull(show),title,show." (episide title: ".title.")")\ | |
| | stats values(streamtype) as "Stream type" values(container) as "Container" values(audioCodec) as "Audio Codec" values(videoCodec) as "Video Codec" values(player) as "Player" by media | |
| [Plex - All streams] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = area | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=_json\ | |
| | eval media=if(isnull(show),title,show." (episide title: ".title.")")\ | |
| | stats values(streamtype) as "Stream type" values(container) as "Container" values(audioCodec) as "Audio Codec" values(videoCodec) as "Video Codec" values(player) as "Player" by media | |
| [Plex - Movies that always transcode video] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = area | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source="/home/media/plex-status/status.log" video_transcoding="transcode" NOT show=*\ | |
| | search NOT [ search source="/home/media/plex-status/status.log" streamtype="Direct Play"| dedup media | fields media ]\ | |
| | stats values(streamtype) as "Stream Types" by media | |
| [Plex - Popular transcoded videos] | |
| dispatch.earliest_time = -24h | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.general.type = statistics | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source="/home/media/plex-status/status.log" video_transcoding="transcode" earliest=-30d@d\ | |
| | search NOT [ search source="/home/media/plex-status/status.log" streamtype="Direct Play"| dedup media | fields media ]\ | |
| | top media streamtype\ | |
| | fields media streamtype count\ | |
| | eval Hours=round(count / 60,1)\ | |
| | fields - count | |
| [Plex - Videos transcoded more than 95% of the time] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = area | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source="/home/media/plex-status/status.log" video_transcoding="transcode"\ | |
| | search NOT [ search source="/home/media/plex-status/status.log" streamtype="Direct Play" \ | |
| | eval dp=if(video_transcoding!="transcode" OR isnull(video_transcoding),1,0)\ | |
| | eval ts=if(video_transcoding=="transcode",1,0)\ | |
| | stats sum(dp) as dpc sum(ts) as tsc by media\ | |
| | eval pct_transcode=(tsc/(tsc+dpc))*100\ | |
| | where pct_transcode<5 | fields media ]\ | |
| | stats count values(streamtype) as "Stream Types" by media\ | |
| | sort -count\ | |
| | fields - count | |
| [Plex - Files that always transcode video] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = area | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source="/home/media/plex-status/status.log" video_transcoding="transcode"\ | |
| | search NOT [ search source="/home/media/plex-status/status.log" streamtype="Direct Play"| dedup media | fields media ]\ | |
| | eval time=strftime(_time, "%F %H:%M:%S")\ | |
| | stats last(videoCodec) as "Video Codec" last(audioCodec) as "Audio Codec" last(time) as ltime values(streamtype) as "Stream Types" count by media\ | |
| | eval hours=round(count/60,1)\ | |
| | sort -ltime\ | |
| | rename ltime as "Last Time"\ | |
| | fields - count | |
| [Plex - Videos transcoded more than 95% of the time by media,video codec] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = area | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source="/home/media/plex-status/status.log" streamtype="Video: transcode*"\ | |
| | search NOT [ search source="/home/media/plex-status/status.log"\ | |
| | eval dp=if(video_transcoding!="transcode" OR isnull(video_transcoding),1,0)\ | |
| | eval ts=if(video_transcoding=="transcode",1,0)\ | |
| | stats sum(dp) as dpc sum(ts) as tsc by media\ | |
| | eval pct_transcode=(tsc/(tsc+dpc))*100\ | |
| | where pct_transcode<5 | fields media ]\ | |
| | eval time=strftime(_time, "%F %H:%M:%S")\ | |
| | stats last(videoCodec) as "Video Codec" last(audioCodec) as "Audio Codec" last(time) as ltime values(streamtype) as "Stream Types" count by media\ | |
| | eval hours=round(count/60,1)\ | |
| | sort -ltime\ | |
| | rename ltime as "Last Time"\ | |
| | fields - count | |
| [Plex - Number of movies/shows, location, IP by user] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.general.type = statistics | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.mapping.tileLayer.maxZoom = 19 | |
| display.visualizations.mapping.tileLayer.url = http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png | |
| display.visualizations.show = 0 | |
| display.visualizations.type = mapping | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source="/home/media/plex-status/status.log"\ | |
| | iplocation ipaddress\ | |
| | eval location=case(City!="" OR NOT isnull(City),City.", ".Region,NOT isnull(Country) OR Country="",Country,isnull(Country),"Unknown")\ | |
| | eval stream=if(plexType=="movie",title,show)\ | |
| | stats dc(stream) as "Number of Movies/Shows watched" values(ipaddress) as "IP addresses" values(location) as "Location" by user\ | |
| | sort -"Number of Movies/Shows watched" | |
| [Plex - Number of streams by stream type] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| display.general.type = visualizations | |
| display.page.search.mode = verbose | |
| display.page.search.tab = visualizations | |
| display.statistics.show = 0 | |
| display.visualizations.charting.chart = area | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=_json\ | |
| | eval session=user." watching ".if(isnull(show),title,show." (episide title: ".title.")")\ | |
| | eval streamtype=case((isnull(audio_transcoding) AND isnull(video_transcoding)), "Direct Play", (video_transcoding="copy" AND audio_transcoding="copy"), "Direct Stream", 1==1, "Video: ".video_transcoding." Audio: ".audio_transcoding)\ | |
| | stats count(session) as number_of_streams by _time,streamtype\ | |
| | timechart span=5m max(number_of_streams) by streamtype | |
| [Web - Authorized or Error Web Access] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.general.type = statistics | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| display.visualizations.type = mapping | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=access_combined host=srever useragent!="Amazon*" clientip!="192*" status!="4*" clientip!=209.97.0.0/16 clientip!=172.56.0.0/16 source!="/var/log/nginx/bc_access.log*"\ | |
| | rex field=source "/var/log/(?<webserver>.*)/(?<site>.*)_access.log.*" \ | |
| | eval combined=host."-".site \ | |
| | iplocation clientip\ | |
| | eval location=case(City!="" AND Region!="" AND Country!="",City.", ".Region." - ".Country,Region!="" AND Country!="",Region.",".Country,Country!="",Country,(isnull(Country) OR Country=""),"Unknown")\ | |
| | stats values(location) values(status) values(uri) values(site) by clientip | |
| [OwnCloud - Files Previewed or Downloaded in the Last 7 Days] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.general.type = statistics | |
| display.page.search.tab = statistics | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source=*owncloud*\ | |
| | where NOT cidrmatch("10.0.0.0/8", clientip) AND NOT cidrmatch("172.16.0.0/12", clientip) AND NOT cidrmatch("192.168.0.0/16", clientip) AND NOT cidrmatch("127.0.0.1/16", clientip)\ | |
| | rex field=uri_query "file=(?<localfile>.*)&c="\ | |
| | eval localfile=urldecode(localfile)\ | |
| | eval files=if(isnotnull(localfile), localfile, files)\ | |
| | iplocation clientip\ | |
| | eval location=case(City!="" AND Region!="" AND Country!="",City.", ".Region." - ".Country,Region!="" AND Country!="",Region.",".Country,Country!="",Country,(isnull(Country) OR Country=""),"Unknown")\ | |
| | stats values(location) as Location values(files) as "Files Downloaded/Previewed" by clientip | |
| [OwnCloud - File Transfers by ClientIP] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.general.type = statistics | |
| display.page.search.tab = statistics | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source=*owncloud* method=PUT OR method=GET\ | |
| | where NOT cidrmatch("10.0.0.0/8", clientip) AND NOT cidrmatch("172.16.0.0/12", clientip) AND NOT cidrmatch("192.168.0.0/16", clientip) AND NOT cidrmatch("127.0.0.1/16", clientip)\ | |
| | rex field=uri_query "file=(?<localfile>.*)&c"\ | |
| | eval localfile=urldecode(localfile)\ | |
| | eval filenames=case(isnotnull(localfile), localfile, like(uri_path, "%remote.php%") AND isnotnull(file), file, method=="PUT" AND isnotnull(file), file, file="download", files, 1==1,"Unknown, URL root: ".root)\ | |
| | iplocation clientip\ | |
| | eval location=case(City!="" AND Region!="" AND Country!="",City.", ".Region." - ".Country,Region!="" AND Country!="",Region.",".Country,Country!="",Country,(isnull(Country) OR Country=""),"Unknown")\ | |
| | stats values(location) as Location values(filenames) by clientip method | |
| [Plex - Video/Audio codec of transcoded files] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.general.type = statistics | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source="/home/media/plex-status/status.log" videoCodec!="h264" audioCodec!="aac"\ | |
| | chart distinct_count(userId) as "Number of Users Who Streamed File" values(username) values(videoCodec) as "Video Codec" values(audioCodec) as "Audio Codec" values(streamtype) as "Stream type" by file\ | |
| | sort - "Number of Users Who Streamed File" | |
| [Sickbeard Warnings] | |
| dispatch.earliest_time = -24h | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = loglevel=WARNING sourcetype="sick*" | |
| [Cloud Drive - Sync Times (Timechart)] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.general.type = visualizations | |
| display.page.search.tab = visualizations | |
| display.visualizations.charting.axisY.scale = log | |
| display.visualizations.charting.chart.showDataLabels = all | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = host=srever source=*acdsync* Elapsed\ | |
| | rex "Elapsed time:\s*((?<hour>[0-9]*)h)?((?<min>[0-9]*)m)?(?<sec>[0-9\.]*)s"\ | |
| | eval time=relative_time(_time, "@d")\ | |
| | eval hour=if(isnull(hour),0,hour)\ | |
| | eval min=if(isnull(min),0,min)\ | |
| | eval duration_seconds = ((hour*3600)+(min*60)+sec)\ | |
| | timechart span=1d sum(duration_seconds) as "Transfer Time (seconds)" | |
| [Plex - Last 10 streams] | |
| alert.track = 0 | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = fast | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = area | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=_json\ | |
| | eval session=user." watched ".if(isnull(show),title,show." (episide title: ".title.")")\ | |
| | stats latest(_time) as time count(_raw) as duration values(device) as device values(streamtype) as streamtype by session\ | |
| | sort -time\ | |
| | fieldformat time = if(time > (now() - 120),"ongoing",strftime(time, "%T"))\ | |
| | fieldformat duration = duration."m" | |
| [Plex - Weekly Stream History] | |
| action.email.useNSSubject = 1 | |
| alert.track = 0 | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = fast | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = area | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=_json\ | |
| | eval session=user." watched ".if(isnull(show),title,show." (episide title: ".title.")")\ | |
| | stats latest(_time) as time count(_raw) as duration values(device) as device values(streamtype) as streamtype by session\ | |
| | sort -time\ | |
| | fieldformat time = if(time > (now() - 120),"ongoing",strftime(time, "%a %m/%d %T"))\ | |
| | fieldformat duration = duration."m" | |
| [Mumble Location by IP] | |
| alert.track = 0 | |
| dispatch.earliest_time = -24h | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.general.type = visualizations | |
| display.page.search.tab = visualizations | |
| display.statistics.show = 0 | |
| display.visualizations.charting.chart = line | |
| display.visualizations.mapHeight = 901 | |
| display.visualizations.mapping.data.maxClusters = 1000 | |
| display.visualizations.mapping.drilldown = none | |
| display.visualizations.mapping.map.scrollZoom = 1 | |
| display.visualizations.mapping.markerLayer.markerMaxSize = 75 | |
| display.visualizations.mapping.markerLayer.markerMinSize = 50 | |
| display.visualizations.mapping.tileLayer.maxZoom = 15 | |
| display.visualizations.type = mapping | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source="/var/log/mumble-server/mumble-server.log" earliest=-30d\ | |
| | eval m=connection_number.date_mday\ | |
| | transaction m\ | |
| | iplocation ipaddress\ | |
| | geostats globallimit=0 dc(ipaddress) by user | |
| [Mumble Client Versions by User] | |
| alert.track = 0 | |
| dispatch.earliest_time = -24h | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.general.type = statistics | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source="/var/log/mumble-server/mumble-server.log"\ | |
| | eval m=connection_number.date_mday\ | |
| | transaction m\ | |
| | stats values(version) as "Version" by user\ | |
| | sort "Version" | |
| [Mumble Max Time Connected by User] | |
| alert.track = 0 | |
| dispatch.earliest_time = -24h | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.general.type = statistics | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| display.visualizations.type = mapping | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source="/var/log/mumble-server/mumble-server.log" earliest=-30d\ | |
| | eval m=connection_number.date_mday\ | |
| | transaction m startswith="New connection"\ | |
| | stats max(duration) as max_duration_connected by user\ | |
| | sort - max_duration_connected\ | |
| | fieldformat max_duration_connected=tostring(max_duration_connected, "duration") | |
| [qtosw - geolocate ip by site (req new log format)] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.general.type = visualizations | |
| display.page.search.tab = visualizations | |
| display.statistics.show = 0 | |
| display.visualizations.charting.chart = line | |
| display.visualizations.mapping.map.center = (10.49,-15.29) | |
| display.visualizations.mapping.map.scrollZoom = 1 | |
| display.visualizations.type = mapping | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=access_combined useragent!="Amazon*" \ | |
| | rex field=source "/var/log/(?<webserver>.*)/(?<site>.*)_access.log.*"\ | |
| | eval combined=host."-".site\ | |
| | iplocation clientip\ | |
| | geostats count by combined | |
| [Cloud Drive - Failures] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = host=srever source=*acdsync* fail* | |
| [Plex - Geolocate streams by user] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.general.type = visualizations | |
| display.page.search.tab = visualizations | |
| display.statistics.show = 0 | |
| display.visualizations.charting.chart = line | |
| display.visualizations.mapping.map.center = (14.94,-90.7) | |
| display.visualizations.mapping.map.scrollZoom = 1 | |
| display.visualizations.mapping.tileLayer.maxZoom = 19 | |
| display.visualizations.mapping.tileLayer.url = http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png | |
| display.visualizations.type = mapping | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source="/home/media/plex-status/status.log"\ | |
| | iplocation ipaddress\ | |
| | geostats globallimit=0 dc(media) by user | |
| [Cloud Drive - New Files] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = host=srever sourcetype=acdsync acd_action="Copied (new)" | |
| [Cloud Drive - Sync Times] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.tab = statistics | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = host=srever sourcetype=acdsync Elapsed\ | |
| | eval time=relative_time(_time, "@d")\ | |
| | eval hour=if(isnull(hour),0,hour)\ | |
| | eval min=if(isnull(min),0,min)\ | |
| | eval duration_seconds = ((hour*3600)+(min*60)+sec)\ | |
| | stats sum(duration_seconds) as transfer_time by time\ | |
| | fieldformat transfer_time=tostring('transfer_time', "duration")\ | |
| | fieldformat time=strftime(time, "%F")\ | |
| | sort -time | |
| [Cloud Drive - Changed Files] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.visualizations.charting.axisY.scale = log | |
| display.visualizations.charting.chart.showDataLabels = all | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = host=srever sourcetype=acdsync acd_action="Copied (new)" OR acd_action="Deleted" | |
| [Cloud Drive - Deleted Files] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = host=srever sourcetype=acdsync acd_action="Deleted" | |
| [Cloud Drive - Sync Times by Folder] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.events.fields = ["acd_status","date_hour","date_mday","date_minute","date_month","date_second","date_wday","date_year","date_zone","eventtype","file_action","file_path","filename","host","index","linecount","punct","source","sourcetype","splunk_server","timeendpos","timestamp","checks","errors","files_transferred","min","Science","sec","tag","tag::eventtype","transfer_speed","transferred_bytes","code","failed_file","failure_json","failure_status","http_code","http_status","info.nodeId","logref","message"] | |
| display.general.type = visualizations | |
| display.page.search.tab = visualizations | |
| display.statistics.show = 0 | |
| display.visualizations.charting.chart = line | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=acdsync\ | |
| | transaction startswith="Amazon cloud drive root" endswith="Elapsed"\ | |
| | eval time=relative_time(_time, "@d")\ | |
| | eval hour=if(isnull(hour),0,hour)\ | |
| | eval min=if(isnull(min),0,min)\ | |
| | eval duration_seconds = ((hour*3600)+(min*60)+sec)\ | |
| | timechart span=1d sum(duration_seconds) as "Transfer Time (seconds)" by acd_root | |
| [Cloud Drive - Number of Files Synced by Folder] | |
| dispatch.earliest_time = -30d@d | |
| dispatch.latest_time = now | |
| display.events.fields = ["acd_status","date_hour","date_mday","date_minute","date_month","date_second","date_wday","date_year","date_zone","eventtype","file_action","file_path","filename","host","index","linecount","punct","source","sourcetype","splunk_server","timeendpos","timestamp","checks","errors","files_transferred","min","Science","sec","tag","tag::eventtype","transfer_speed","transferred_bytes","code","failed_file","failure_json","failure_status","http_code","http_status","info.nodeId","logref","message"] | |
| display.general.type = visualizations | |
| display.page.search.tab = visualizations | |
| display.statistics.show = 0 | |
| display.visualizations.charting.chart = line | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=acdsync\ | |
| | transaction startswith="Amazon cloud drive root" endswith="Transferred:"\ | |
| | timechart span=1d max(files_transferred) by acd_root | |
| [Cloud Drive - Rate Limited Wait Duration] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| display.events.fields = ["acd_status","date_hour","date_mday","date_minute","date_month","date_second","date_wday","date_year","date_zone","eventtype","file_action","file_path","filename","host","index","linecount","punct","source","sourcetype","splunk_server","timeendpos","timestamp","checks","errors","files_transferred","min","Science","sec","tag","tag::eventtype","transfer_speed","transferred_bytes","code","failed_file","failure_json","failure_status","http_code","http_status","info.nodeId","logref","message"] | |
| display.general.type = visualizations | |
| display.page.search.tab = visualizations | |
| display.statistics.show = 0 | |
| display.visualizations.charting.chart = line | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=acdsync Rate limited\ | |
| | rex field=acd_action "Rate limited, sleeping for ((?<sleep_hour>[0-9]*)h)?((?<sleep_min>[0-9]*)m)?(?<sleep_sec>[0-9\.]*)s \((?<retries>[\d]+) retries\)"\ | |
| | eval sleep_hour=if(isnull(sleep_hour),0,sleep_hour)\ | |
| | eval sleep_min=if(isnull(sleep_min),0,sleep_min)\ | |
| | eval duration_seconds = ((sleep_hour*3600)+(sleep_min*60)+sleep_sec)\ | |
| | timechart span=5m avg(duration_seconds) avg(retries) | |
| [SSH Attempts by IP] | |
| dispatch.earliest_time = -24h | |
| dispatch.latest_time = now | |
| display.events.fields = ["acd_status","date_hour","date_mday","date_minute","date_month","date_second","date_wday","date_year","date_zone","eventtype","file_action","file_path","filename","host","index","linecount","punct","source","sourcetype","splunk_server","timeendpos","timestamp","checks","errors","files_transferred","min","Science","sec","tag","tag::eventtype","transfer_speed","transferred_bytes","code","failed_file","failure_json","failure_status","http_code","http_status","info.nodeId","logref","message"] | |
| display.general.type = statistics | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = source="/var/log/auth.log" src_ip=*\ | |
| | iplocation src_ip\ | |
| | eval location=case(City!="" AND Region!="" AND Country!="",City.", ".Region." - ".Country,Region!="" AND Country!="",Region.",".Country,Country!="",Country,(isnull(Country) OR Country=""),"Unknown")\ | |
| | stats count as "Attempts" values(location) as "Location" values(user) as "User Accounts Attempted" by host src_ip\ | |
| | sort -"Attempts" | |
| [Splunk - Size by Index] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| display.events.fields = ["acd_status","date_hour","date_mday","date_minute","date_month","date_second","date_wday","date_year","date_zone","eventtype","file_action","file_path","filename","host","index","linecount","punct","source","sourcetype","splunk_server","timeendpos","timestamp","checks","errors","files_transferred","min","Science","sec","tag","tag::eventtype","transfer_speed","transferred_bytes","code","failed_file","failure_json","failure_status","http_code","http_status","info.nodeId","logref","message"] | |
| display.general.type = statistics | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = | eventcount summarize=false report_size=true index=*\ | |
| | eval index_size = size_bytes / 1024 / 1024\ | |
| | fields - count size_bytes server\ | |
| | sort -index_size | |
| [Mumble Users Currently Connected] | |
| alert.track = 0 | |
| dispatch.earliest_time = -24h | |
| dispatch.latest_time = now | |
| display.events.fields = ["host","source","sourcetype","clientip","webserver","site"] | |
| display.general.type = statistics | |
| display.page.search.mode = fast | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype="mumble-server"\ | |
| | transaction connection_number endswith="Connection closed" keeporphans=true maxspan=1209600s\ | |
| | where isnull(closed_txn)\ | |
| | eval channel=if(isnull(channel), "-", channel)\ | |
| | chart earliest(_time) as login_time latest(channel) as "Current channel" values(host) as "Server" by user\ | |
| | fieldformat login_time=strftime(login_time, "%D %H:%M") | |
| [Plex - Top 10 media by percent of time spent transcoding] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| display.general.type = visualizations | |
| display.page.search.mode = fast | |
| display.page.search.tab = visualizations | |
| display.statistics.show = 0 | |
| display.visualizations.charting.chart = bar | |
| request.ui_dispatch_app = search | |
| request.ui_dispatch_view = search | |
| search = sourcetype=_json\ | |
| | bucket _time span=1m \ | |
| | eval media=if(isnull(show),title,show)\ | |
| | eval streamtype=case((isnull(audio_transcoding) AND isnull(video_transcoding)), "Direct Play", (video_transcoding="copy" AND audio_transcoding="copy"), "Direct Stream", 1==1, "Video: ".video_transcoding." Audio: ".audio_transcoding)\ | |
| | eval transcoding=if(streamtype!="Direct Play" AND streamtype!="Direct Stream",100,0)\ | |
| | where transcoding > 0\ | |
| | stats avg(transcoding) as pct_time_transcoded by media\ | |
| | sort -pct_time_transcoded\ | |
| | rename pct_time_transcoded as "Percent of time spent transcoding"\ | |
| | head 10 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment