[IT Essentials Work - Email Alert Action Generator]
disabled=1
action.email = 1
action.email.include.results_link = 0
action.email.include.view_link = 0
action.email.message.alert = [$result.entity_title$] is in [$result.alert_severity$] status from alarm [$result.source$]\
\
Alert Description:\
$result.description$\
\
View current entity health:\
$result.entity_drilldown_uri$\
\
View current alerts:\
$result.current_alerts_uri$
action.email.subject.alert = Splunk Alert: $result.entity_title$
action.email.to = $result.alert_email$
action.email.useNSSubject = 1
alert.digest_mode = 0
alert.expires = 15m
alert.suppress = 0
alert.suppress.fields = entity_key source
alert.suppress.period = 15m
alert.track = 0
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = -1m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = line
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = `itsi_event_management_index` entity_key=*  (source IN ("ITSI Vital Metric Alert*"))\
| dedup entity_key source sortby _time desc\
| search severity>2\
\
| eval alert_severity=case(severity=2, "Normal", severity=6, "Critical", true(), "Warning")\
| eval splunk_base_uri=`itew_get_splunk_base_uri`\
| eval entity_drilldown_uri=splunk_base_uri.itsiDrilldownURI\
| eval current_alerts_uri=splunk_base_uri."/app/itsi/alerts_review"\
| eval src=entity_title, alarm=source\
\
| `lookup_entity_contact_details(entity_key, source, severity)`\
| search alert_routing IN ("*email*", "*e*mail*") alert_email=*\
| eval alert_email=mvjoin(alert_email,";")\
| table *

[IT Essentials Work - Splunk OnCall Alert Action Generator]
disabled=1
action.email.include.results_link = 0
action.email.include.view_link = 0
action.email.message.alert = [$result.entity_title$] is in [$result.alert_severity$] status from alarm [$result.source$]\
\
Alert Description:\
$result.description$\
\
View current entity health:\
$result.entity_drilldown_uri$\
\
View current alerts:\
$result.current_alerts_uri$
action.email.subject.alert = Splunk Alert: $result.entity_title$
action.email.to = $result.alert_email$
action.email.useNSSubject = 1
action.victorops = 1
action.victorops.param.enable_recovery = 0
action.victorops.param.entity_display_name = $result.entity_title$
action.victorops.param.entity_id = $result.entity_key$
action.victorops.param.monitoring_tool = splunk-itsi
action.victorops.param.routing_key_override = -1
action.victorops.param.state_message = [$result.entity_title$] is in [$result.alert_severity$] status from alarm [$result.source$]\
\
Alert Description:\
$result.description$\
\
View current entity health:\
$result.entity_drilldown_uri$\
\
View current alerts:\
$result.current_alerts_uri$
alert.digest_mode = 0
alert.expires = 15m
alert.suppress = 0
alert.suppress.fields = entity_key
alert.suppress.period = 15m
alert.track = 0
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = -1m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = line
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = `itsi_event_management_index` entity_key=*  (source IN ("ITSI Vital Metric Alert*"))\
| dedup entity_key source sortby _time desc\
| search severity>2\
\
| eval alert_severity=case(severity=2, "Normal", severity=6, "Critical", true(), "Warning")\
| eval splunk_base_uri=`itew_get_splunk_base_uri`\
| eval entity_drilldown_uri=splunk_base_uri.itsiDrilldownURI\
| eval current_alerts_uri=splunk_base_uri."/app/itsi/alerts_review"\
| eval src=entity_title, alarm=source\
\
| `lookup_entity_contact_details(entity_key, source, severity)`\
| search alert_routing IN ("*on*call*") alert_oncall_routing_key=*\
| eval "param.routing_key"=mvindex(alert_oncall_routing_key, 0)\
| table *

[IT Essentials Work - ServiceNow Alert Action Generator]
disabled=1
action.email.include.results_link = 0
action.email.include.view_link = 0
action.email.message.alert = [$result.entity_title$] is in [$result.alert_severity$] status from alarm [$result.source$]\
\
Alert Description:\
$result.description$\
\
View current entity health:\
$result.entity_drilldown_uri$\
\
View current alerts:\
$result.current_alerts_uri$
action.email.subject.alert = Splunk Alert: $result.entity_title$
action.email.to = $result.alert_email$
action.email.useNSSubject = 1
action.snow_incident = 1
action.snow_incident.param.assignment_group = $result.alert_snow_assignment_group$
action.snow_incident.param.correlation_id = $result.entity_key$
action.snow_incident.param.custom_fields = u_caller_id=Splunk IT Essentials - Work
action.snow_incident.param.impact = 1
action.snow_incident.param.short_description = [$result.entity_title$] is in [$result.alert_severity$] status from alarm [$result.source$]
action.snow_incident.param.splunk_url = $result.entity_drilldown_uri$
action.snow_incident.param.state = 1
action.snow_incident.param.urgency = 1
alert.digest_mode = 0
alert.expires = 15m
alert.suppress = 0
alert.suppress.fields = entity_key source
alert.suppress.period = 15m
alert.track = 0
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = -1m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = line
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = `itsi_event_management_index` entity_key=*  (source IN ("ITSI Vital Metric Alert*"))\
| dedup entity_key source sortby _time desc\
| search severity>2\
\
| eval alert_severity=case(severity=2, "Normal", severity=6, "Critical", true(), "Warning")\
| eval splunk_base_uri=`itew_get_splunk_base_uri`\
| eval entity_drilldown_uri=splunk_base_uri.itsiDrilldownURI\
| eval current_alerts_uri=splunk_base_uri."/app/itsi/alerts_review"\
| eval src=entity_title, alarm=source\
\
| `lookup_entity_contact_details(entity_key, source, severity)`\
| search alert_routing IN ("*ServiceNow*", "*snow*") alert_snow_assignment_group=*\
| table *

[IT Essentials Work - Custom Alert Action Generator]
disabled=1
alert.digest_mode = 0
alert.expires = 15m
alert.suppress = 0
alert.suppress.fields = entity_key source
alert.suppress.period = 15m
alert.track = 0
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = -1m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = line
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = `itsi_event_management_index` entity_key=*  (source IN ("ITSI Vital Metric Alert*"))\
| dedup entity_key source sortby _time desc\
| search severity>2\
\
| eval alert_severity=case(severity=2, "Normal", severity=6, "Critical", true(), "Warning")\
| eval splunk_base_uri=`itew_get_splunk_base_uri`\
| eval entity_drilldown_uri=splunk_base_uri.itsiDrilldownURI\
| eval current_alerts_uri=splunk_base_uri."/app/itsi/alerts_review"\
| eval src=entity_title, alarm=source\
\
| `lookup_entity_contact_details(entity_key, source, severity)`\
| search alert_routing IN ("*custom*")\
| eval alert_custom_params=alert_custom_params\
| table *