securityonion/salt/influxdb/templates/alarm_low_monitor_traffic.json

[{
    "apiVersion": "influxdata.com/v2alpha1",
    "kind": "CheckThreshold",
    "metadata": {
        "name": "monitor-interface-traffic"
    },
    "spec": {
        "description": "Triggers when the volume of network traffic (in MBs) received on the monitor interface, per sensor, falls below a defined threshold. To tune this alert, modify the value in MBs for the appropriate alert level.",
        "every": "1m",
        "name": "Low  Traffic Volume on Monitor Interface",
        "query": "from(bucket: \"telegraf/so_short_term\")\n  |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"net\")\n  |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"bytes_recv\")\n  |\u003e filter(fn: (r) =\u003e r[\"interface\"] == \"bond0\")\n  |\u003e derivative(unit: 1s, nonNegative: true)\n  |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 8.0 / 1000000.0}))\n  |\u003e yield(name: \"nonnegative derivative\")",
        "status": "active",
        "statusMessageTemplate": "Interface ${r.interface} on node ${r.host} has reached the ${r._level} threshold. The current volume of traffic on interface ${r.interface} is ${r.bytes_recv}MB/s.",
        "thresholds": [
            {
                "level": "CRIT",
                "type": "lesser",
                "value": 5
            }
        ]
    }
}]