We're trying to implement a mostly automated "base monitoring" configuration in one of our Orion instances. One of the roadblocks we're running into is that often times, depending on the application that a server runs, we might have minor differences in alerting logic, so I can lay down a mostly accurate high level picture of how alerts should work, but I still need to see all of the applications the servers run to be able to really give the business the type of alerting logic they want.
I'm trying to identify a way to schedule a discovery of applications that are running on a server. I could make a bunch of SAM templates and do manual scans every week, but I'm hoping there's an easier way or maybe that someone has a better way to solve this.
The end goal would be to have something like:
- if process = 'splunkd.exe' AND sysname LIKE '%splnk%' THEN add to group "Splunk Servers"
- if process = 'splunkd.exe' AND sysname NOT LIKE '%splnk%' THEN add to group "Splunk Forwarders"
On an aside, it would be pretty cool if SAM could schedule and store the "Real-Time Process Explorer" list of processes for each server.
Then the "Group - Dynamic Query" added the option to say something like "process is 'splunkd.exe'". It would make it super easy for us to discover applications by process name and put them all into groups.
On that same note, the "Group -Dynamic Query" would probably want to give the ability to 'Add condition' with operators (such as AND/OR), so we can get a bit more granular on the logic there. Or just let us write out SWQL.
Thank you all for being a fantastic community!