cfxdx Examples

Collection of Example / Test scripts

It is assumed that the instances shown as part of tags are integrated with cfxdx. CloudFabrix recommends to limit the number of rows displayed at the cfxdx command line.

The following are some of the examples that can be executed for testing purposes. Please note depending on type of the integration, the tag name could differ or the tag may not exists in your environment (For example, when there is no integration with AWS, then AWS tags shown and respective examples will not work)

AWS Assets

> tag *aws-prod:us-east-1:ec2:instances
> data --> /tmp/output/aws-east-instances.csv
> tag *aws-prod:us-east-1:ec2:my-images
> data --> /tmp/output/aws-east-images.csv
> tag *aws-prod:us-east-1:ec2:volumes
> data --> /tmp/output/aws-east-volumes.csv
> tag *aws-prod:us-east-1:ec2:vpcs
> data --> /tmp/output/aws-east-vpcs.csv
> tag *aws-prod:us-east-1:ec2:addresses
> data --> /tmp/output/aws-east-addresses.csv
> tag *aws-prod:us-east-1:s3:buckets
> data --> /tmp/output/aws-east-buckets.csv
> tag @aws-prod:us-east-1:ce:daily-costs
> data date is during this month --> /tmp/output/aws-east-costs.csv

Microsoft Azure Assets

> limit 10 #This limits number of rows to 10
> tag *azure:instances
> data --> /tmp/output/azure-instances.csv
> tag *azure:my-images
> data --> /tmp/output/azure-images.csv
> tag *azure:volumes
> data --> /tmp/output/azure-volumes.csv
> tag *azure:networks
> data --> /tmp/output/azure-networks.csv
> tag *azure:networkips
> data --> /tmp/output/azure-networkips.csv
> tag *azure:networklbs
> data --> /tmp/output/azure-networklbs.csv
> tag *azure:storagecontainers
> data --> /tmp/output/azure-storagecontainers.csv

Microsoft Azure Insights

# Azure Insights - metrics, alarms, log analytics
> limit 10
> tag *azurein:logs:workspaces
> data --> /tmp/output/azurein-workspaces.csv
> tag @azurein:logs:analytics
> data WorkspaceID is '<enter workspace id' and timestamp is after -2 days --> /tmp/output/azurein-analytics.csv
> tag *azurein:metrics-list
> data --> /tmp/output/azurein-metrics-list.csv
> tag @azurein:metric-data
> data objID is '/subscriptions/<workspace id>/resourceGroups/macaw_resource_grp/providers/Microsoft.Compute/virtualMachines/sp-lb-vm' and metricnames is 'Percentage CPU' and timestamp is after -30 days --> /tmp/output/azurein-metric-data.csv
> tag *azurein:metric-alarms
> data --> /tmp/output/azurein-metric-alarms.csv

Cluster Prediction

> limit 100
> tag #es:winevents
> data `@timestamp` is after -30 days GET message as 'description' \
--> @cfxusml:logprediction \
--> /tmp/win_event_predicted_clusters.csv

Cluster Pipeline

> limit 2000
> tag #es:winevents
> data * get message as 'description' \
--> @cfxusml:logclustering \
--> /tmp/win_event_clusters.csv

Data Generation Examples

> limit 100
# Log Template
> tag @datagen:fortinet_logs
> data timestamp is after -15 mins and LOCAL_SRC_IP is '<ip address>' and rate is '5/min' \
--> /tmp/fortinet_logs.csv
# Ensure you enter valid IP address in the above data statement <ip address>
# CPU Timeseries data (smoothing with high std)
> tag @datagen:cpu
> data timestamp is after -15 mins and rate is '60/min'
# Memory Timeseries data (smoothing with low std)
> tag @datagen:memory
> data timestamp is after -15 mins and rate is '60/min'
# Network IO Timeseries data (no smothing high std)
> tag @datagen:network_io
> data timestamp is after -15 mins and rate is '60/min'

Email

> limit 10
> tag *slack:users
> data --> @email:sendmail \
subject = "Slack Users List" and \
message = "Slack Users are attched" and \
recipient = 'cfxdx.emails@gmail.com'
# the above recipient is example email address, change to suitable

JIRA

> limit 50
> tag #cfxqa:issues
> data project='SaaS' and created after 'Jan 1 2020' and (resolution is not 'Fixed' or resolution is null)

Regression Pipeline

> tag @cfxobs:metric-range
> data metric is '100 - (avg by (instance) (irate(windows_cpu_time_total{mode="idle"}[1m])) * 100)' \
and timestamp is after -30 days and step is '60m' \
--> *cfxql:filter instance is '<IP address>:9443' \
--> @cfxml:1hour --> /tmp/output/regression.csv
# Replace <IP address> with correct IP address

SLACK

# Slack Userlist and Fileupload
> limit 10
> tag *slack:users
> data --> /tmp/output/slack-users.csv
> tag *aws-prod:us-east-1:ec2:instances
> data --> @slack:fileupload:test_cfxdx_slack channel is 'test_cfxdx_slack' and \
message is 'AWS Instances Report' and format is 'xlsx' and \
title is 'AWS Daily Instances Report.xlsx'