splunk-pack-all.conf

1. {
2.     "queries": {
3.         "etc_hosts_entries": {
4.             "query": "SELECT * FROM etc_hosts",
5.             "interval": 60
6.         },
7.         "route_table": {
8.             "query": "select * from routes",
9.             "interval": 60
10.         },
11.         "logged_in_users": {
12.             "query": "select type, user, tty, host, time, datetime(time,'unixepoch') || ' UTC' AS logon_time_readable, pid from logged_in_users",
13.             "interval": 120
14.         },
15.         "listening_ports": {
16.             "query": "select (select datetime from time) AS poll_time, processes.name, users.username, etc_protocols.name AS protocol, listening_ports.pid, listening_ports.port, listening_ports.family, listening_ports.address from listening_ports JOIN processes ON listening_ports.pid = processes.pid JOIN users ON processes.uid = users.uid JOIN etc_protocols ON etc_protocols.number = listening_ports.protocol where listening_ports.port > 0",
17.             "interval": 300,
18.             "removed": false
19.         },
20.         "top_10_processes_memory_usage": {
21.             "query": "select (select datetime from time) AS poll_time, processes.pid, processes.path, processes.name, processes.uid, users.username, processes.resident_size, processes.total_size, processes.user_time, processes.system_time, processes.disk_bytes_read, processes.disk_bytes_written, processes.handle_count, processes.percent_processor_time, users.username, datetime(processes.start_time,'unixepoch') || ' UTC' AS start_time_readable, users.username from processes JOIN users ON processes.uid = users.uid order by resident_size desc limit 10",
22.             "interval": 600,
23.             "removed": false
24.         },
25.         "top_10_processes_most_active": {
26.             "query": "select (select datetime from time) AS poll_time, processes.pid, processes.name, processes.path, processes.uid, users.username, count(pid) as total_threads, processes.resident_size, processes.total_size, processes.user_time, processes.system_time, processes.disk_bytes_read, processes.disk_bytes_written, processes.handle_count, processes.percent_processor_time, users.username, datetime(processes.start_time,'unixepoch') || ' UTC' AS start_time_readable from processes JOIN users ON processes.uid = users.uid group by name order by total_threads desc limit 10",
27.             "interval": 600,
28.             "removed": false
29.         },
30.         "users": {
31.             "query": "select * from users",
32.             "interval": 3600
33.         },
34.         "groups": {
35.             "query": "select * from groups",
36.             "interval": 3600
37.         },
38.         "interface_addresses": {
39.             "query": "select (select datetime from time) AS poll_time, * from interface_addresses",
40.             "interval": 14400,
41.             "removed": false
42.         },
43.         "interface_details": {
44.             "query": "select (select datetime from time) AS poll_time, * from interface_details",
45.             "interval": 14400,
46.             "removed": false
47.         },
48.         "ntp_check": {
49.             "query": "select datetime(local_time, 'unixepoch', 'localtime') as localtime, local_timezone, unix_time, timestamp from time;",
50.             "interval": 14400,
51.             "snapshot": true
52.         },
53.         "system_info": {
54.             "query": "select * from system_info;",
55.             "interval": 604800,
56.             "snapshot": true
57.         }
58.     }
59. }