#!/bin/bash### Event Metrics### ECS-EC-INGRES (Collection) - Incoming ra

1. #!/bin/bash
2.  
3. ### Event Metrics
4.  
5. ### ECS-EC-INGRES (Collection) - Incoming raw event rate per 60s, Peak in the last 60s, Total EC Throttles in the last 60s
6. log_line=$(grep "Incoming raw event rate" /var/log/qradar.log |grep "ecs-ec-ingress.ecs-ec-ingress" |awk '{print $5,$29,$42,$59}' |tail -1 |tr "[|]" " ")
7. engine=$(echo $log_line |awk -F. '{print $1}')
8. rate60=$(echo $log_line |awk '{print $2}')
9. peak60=$(echo $log_line |awk '{print $3}')
10. throttle60=$(echo $log_line |awk '{print $4}' |tr "." " ")
11. echo "qradar_eps,engine=$engine rate=$rate60,peak=$peak60,throttle=$throttle60 $(date +%s%N)"
12.  
13. ### ECS-EC (parsing, and normalization of event data) - Incoming raw event rate per 60s, Peak in the last 60s, Total EC Throttles in the last 60s
14. log_line=$(grep "Incoming raw event rate" /var/log/qradar.log |grep "ecs-ec.ecs-ec" |awk '{print $5,$29,$42,$59}' |tail -1 |tr "[|]" " ")
15. engine=$(echo $log_line |awk -F. '{print $1}')
16. rate60=$(echo $log_line |awk '{print $2}')
17. peak60=$(echo $log_line |awk '{print $3}')
18. throttle60=$(echo $log_line |awk '{print $4}' |tr "." " ")
19. echo "qradar_eps,engine=$engine rate=$rate60,peak=$peak60,throttle=$throttle60 $(date +%s%N)"
20.  
21. ### ECS-EC - SensorDevices per 60s, Events Dropped per 60s, Events Log Only per 60s
22. log_line=$(grep "giveback Event" /var/log/qradar.log |awk '{print $5,$18,$23,$29}' |tail -1 |tr "[|]" " ")
23. engine=$(echo $log_line |awk -F. '{print $1}')
24. sensor60=$(echo $log_line |awk '{print $2}')
25. drops60=$(echo $log_line |awk '{print $3}')
26. log_only60=$(echo $log_line |awk '{print $4}')
27. echo "qradar_eps,engine=$engine sensor=$sensor60,drops=$drops60,log_only=$log_only60 $(date +%s%N)"
28.  
29. ### ECS-EP (Rules, routing, event storage) - Incoming Event Rate per 60s
30. log_line=$(grep "EPMonitor" /var/log/qradar.log |awk '{print $5,$16,$26}' |tail -1 |tr "[|]" " ")
31. engine=$(echo $log_line |awk -F. '{print $1}')
32. rate60=$(echo $log_line |awk '{print $2}')
33. echo "qradar_eps,engine=$engine rate=$rate60 $(date +%s%N)"
34.  
35.  
36. ### Flow Metrics
37.  
38. ### ECS-EC (parsing, and normalization of event data) - Incoming raw flow rate per 60s, Peak in the last 60s
39. log_line=$(cat /var/log/qradar.log |grep "Incoming flow rate" |awk '{print $5,$28,$41'} |tail -1 |sed s/[\(\)]//g |tr "[|]" " ")
40. engine=$(echo $log_line |awk -F'[: .]' '{print $1}')
41. rate60=$(echo $log_line |awk -F'[: ]' '{print $2}')
42. peak60=$(echo $log_line |awk -F'[: ]' '{print $4}')
43. echo "qradar_fps,engine=$engine rate=$rate60,peak=$peak60 $(date +%s%N)"
44.  
45. ### ECS-EC - SensorDevices per 60s, Events Dropped per 60s, Events Log Only per 60s
46. log_line=$(cat /var/log/qradar.log |grep "giveback Flow" |awk '{print $5,$18,$23,$27}' |tail -1 |sed s/[\(\)]//g |tr "[|]" " ")
47. engine=$(echo $log_line |awk -F. '{print $1}')
48. sensor60=$(echo $log_line |awk '{print $2}')
49. drops60=$(echo $log_line |awk '{print $3}')
50. echo "qradar_fps,engine=$engine sensor=$sensor60,drops=$drops60 $(date +%s%N)"