[ITSI Historical Episode Risk Levels Generator]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 45 * * * *
description = This scheduled search should be run once per hour to refresh the itsi_episode_historical_risk_levels lookup with the most updated information to enable risk based analysis of episodes
disabled = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = itsi
request.ui_dispatch_view = search
schedule_window = 60
search = | tstats values(kpi) as kpi, values(severity) as severity,values(urgency) as urgency where `itsi_event_management_group_index` (NOT itsi_policy_id="itsi_default_policy") earliest=-7d@d latest=-1m@m by event_id itsi_group_id itsi_group_title _time span=1m@m\
| eval alert_level = severity\
| eval risk_severity = case(alert_level<3, 0, 1=1, alert_level - 1)\
| eval risk_importance = case(kpi="ServiceHealthScore", 3, urgency=0, 0, urgency<5, 1, urgency=5, 2, urgency<11, 4, urgency=11, 5, 1=1, 3)\
| eval risk_score = risk_severity*risk_importance\
| stats sum(risk_score) as sum_risk_score values(*) as * by itsi_group_title, _time\
| sort 0 _time\
| xyseries _time itsi_group_title sum_risk_score\
| fillnull value=0\
| sort 0 _time\
| streamstats sum(*) as sum_* time_window=15m@m\
| fields _time sum_*\
| rename sum_* as *\
| untable _time itsi_group_title running_risk\
| stats count mean(running_risk) as mean_running_risk stdev(running_risk) as std_running_risk by itsi_group_title\
| outputlookup itsi_episode_historical_risk_levels

[ITSI Historical Episode Creation Frequency Generator]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 3 * * *
description = This scheduled search should be run once per day to retrain the itsi_episode_creation_frequency_trained_density_model with the most updated information to enable detection of sudden spikes in the number of newly created episodes
disabled = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = line
display.visualizations.show = 0
request.ui_dispatch_app = itsi_aiops_alerting_content_pack
request.ui_dispatch_view = search
schedule_window = 60
search = | tstats min(itsi_earliest_event_time) as itsi_earliest_event_time where `itsi_event_management_group_index` itsi_policy_id!="itsi_default_policy" earliest=-30d@d latest=now by itsi_group_id, itsi_group_title, itsi_policy_id \
| bin span=15m@m itsi_earliest_event_time\
| stats dc(itsi_group_id) as itsi_group_creation_cnt values(itsi_group_title) values(itsi_policy_id) by itsi_earliest_event_time\
| eval _time = itsi_earliest_event_time\
| sort 0 _time\
    \
| table _time itsi_group_creation_cnt\
| fit DensityFunction itsi_group_creation_cnt dist=expon threshold=0.0001 into itsi_episode_creation_frequency_trained_density_model as outlier

[ITSI KPI Attributes Lookup Generator]
action.email.useNSSubject = 1
alert.track = 0
description = This scheduled search should be run regularly to identify any new Services and KPIs built in the environment and automatically assign them a default alert_group value
disabled = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = itsi_aiops_alerting_content_pack
request.ui_dispatch_view = search
search = | `service_kpi_list` \
| inputlookup append=true itsi_kpi_attributes  \
| stats first(*) AS * by serviceid, kpiid  \
\
```Set defaults for any pre-defined kpi attributes fields that you want to have a default```\
| eval default_alert_group=service_name\
| eval default_itsiInclude=`service_monitoring_itsi_include_default`\
| eval default_itsi_instruction=""\
\
```Any fields added to this foreach will have their values automatically copied to newly discovered kpis within this service. Any fields not listed here will default to the above specified defaults, otherwise null and must be manually modified```\
| foreach alert_group, itsiInclude [ | rename <<FIELD>> as copy_<<FIELD>> ]\
\
``` For any "copy fields", the following eventstats and foreach magic will preserve itsi_kpi_attribute settings for existing kpis and set defaults for newly detected services/kpis based on service defaults. Modify the `use_kpi_attributes_for_defaults` macro to true() if you would like default attributes to be based on what KPIs with the same name use (see docs for more info) ```\
| eval tmp_kpi_split=if(kpi_name!="ServiceHealthScore",kpi_name,null())\
| eval tmp_service_split=if(kpi_name="ServiceHealthScore",service_name,null())\
\
| eventstats values(copy_*) as tmp_kpi_* count(copy_*) AS tmp_kpi_*_count by tmp_kpi_split\
| eventstats values(copy_*) as tmp_service_* count(copy_*) AS tmp_service_*_count by tmp_service_split\
| eventstats values(tmp_service_*) AS tmp_service_* by service_name\
\
| foreach copy_*\
    [| eval <<FIELD>>=case(isnotnull(<<FIELD>>),<<FIELD>>,`use_kpi_attributes_for_defaults` AND tmp_kpi_<<MATCHSTR>>_count>=3 AND isnotnull(tmp_kpi_split) AND isnotnull(tmp_kpi_<<MATCHSTR>>) AND mvcount(tmp_kpi_<<MATCHSTR>>)=1,tmp_kpi_<<MATCHSTR>>,isnotnull(tmp_service_<<MATCHSTR>>),tmp_service_<<MATCHSTR>>,true(),null())\
     | rename <<FIELD>> as <<MATCHSTR>>]\
\
```With all fields now specified, apply default values to any currently null field values where a default was specified```\
| foreach default_* [| eval <<FIELD>>=coalesce(<<MATCHSTR>>,<<FIELD>>) | rename <<FIELD>> as <<MATCHSTR>>]\
\
| table serviceid, kpiid, service_name, kpi_name alert_group, itsi*, attr*\
| outputlookup override_if_empty=false itsi_kpi_attributes

[ITSI Episode Contact Map Generator]
action.email.useNSSubject = 1
alert.track = 0
disabled = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = line
display.visualizations.show = 0
request.ui_dispatch_app = itsi_aiops_alerting_content_pack
request.ui_dispatch_view = search
search = | inputlookup itsi_kpi_attributes\
| dedup alert_group\
| eval original_data = 1\
| inputlookup append=true itsi_episode_contact_map\
| eventstats values(episode_contact_method) as episode_contact_method values(episode_contact_detail) as episode_contact_detail by alert_group\
| eval episode_contact_method = if(alert_group="ITSI Service Monitoring", coalesce(episode_contact_method, "email"), episode_contact_method)\
| eval episode_contact_detail = if(alert_group="ITSI Service Monitoring", coalesce(episode_contact_detail, "sample-email@companyemail.com"), episode_contact_detail)\
| search original_data=1\
| table alert_group episode_contact_method episode_contact_detail\
| outputlookup itsi_episode_contact_map

[ITSI Import Objects - itsi_entity_name_normalizer]
action.itsi_import_objects = 1
action.itsi_import_objects.param.backfill_enabled = 0
action.itsi_import_objects.param.entity_merge_field = entity_name
action.itsi_import_objects.param.entity_title_field = entity_name
action.itsi_import_objects.param.service_enabled = 1
action.itsi_import_objects.param.service_team = default_itsi_security_group
action.itsi_import_objects.param.service_templates_config = {}
action.itsi_import_objects.param.update_type = upsert
action.itsi_import_objects.param.entity_status_tracking = 0
alert.track = 0
cron_schedule = 15 * * * *
description = Add the alias, 'entity_name' to every current entity in the Main Entity List
disabled = 1
dispatch.earliest_time = -60m
dispatch.latest_time = now
enableSched = 1
search = | inputlookup itsi_entities where NOT _itsi_identifier_lookups=entity_name*\
| where retirable!=1 OR isnull(retirable)\
| eval entity_name=title\
| eval entity_title=title\
| head 5000


### Version 2.1 modifications
[IT Service Intelligence - CPMA ITSI Event Analytics - Service Tree Search]
action.email.useNSSubject = 1
alert.track = 0
disabled = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = itsi
request.ui_dispatch_view = search
search = |tstats count where `itsi_event_management_group_index` by itsi_policy_id\
\
| join itsi_policy_id [| rest report_as=text splunk_server=local /servicesNS/nobody/SA-ITOA/event_management_interface/notable_event_aggregation_policy\
| eval value = spath(value, "{}")\
| mvexpand value\
| eval itsi_policy_id = spath(value, "_key"), itsi_policy_title = spath(value, "title")\
| table itsi_policy_id itsi_policy_title ]\
\
| eval service_name="ITSI EA for Policy: ".itsi_policy_title, parent_service_name="ITSI Episode Analytics", template="ITSI Episode Analytics Template", entity_info_itsi_policy_title=itsi_policy_title\
| append [| makeresults | eval service_name="ITSI Alert Analytics", parent_service_name="ITSI Event Analytics", template="ITSI Alert Analytics Template"]\
| append [| makeresults | eval service_name="ITSI Episode Analytics", parent_service_name="ITSI Event Analytics", template="ITSI Episode Analytics Template" | eval entity_info_itsi_policy_title="*"]\
\
| fillnull dependent_service_name value=" "\
| appendpipe [| stats count by parent_service_name service_name | eval dependent_service_name = service_name | eval service_name = parent_service_name]\
| dedup service_name dependent_service_name\
| rename service_name as "Service Title", dependent_service_name as "Dependent Services", template as "Service Template Link"\
| table "Service Title" "Dependent Services" "Service Template Link" entity_info_*

[IT Service Intelligence - CPMA ITSI Aggregation Policies - Entity Discovery Search]
action.email.useNSSubject = 1
alert.track = 0
disabled = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = itsi
request.ui_dispatch_view = search
search = |tstats count where `itsi_event_management_group_index` by itsi_policy_id\
\
| join itsi_policy_id [| rest report_as=text splunk_server=local /servicesNS/nobody/SA-ITOA/event_management_interface/notable_event_aggregation_policy\
| eval value = spath(value, "{}")\
| mvexpand value\
| eval itsi_policy_id = spath(value, "_key"), itsi_policy_title = spath(value, "title")\
| table itsi_policy_id itsi_policy_title ]\
\
| eval entity_title=itsi_policy_title\
| dedup entity_title\
\
| table entity_title itsi_policy_title itsi_policy_id

[CPMA-Lookups-Init]
action.email.show_password = 1
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 25 * * * *
disabled = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = itsi
request.ui_dispatch_view = search
schedule_window = 60
search = | outputlookup itsi_kpi_attributes override_if_empty=false\
| outputlookup itsi_episode_contact_map override_if_empty=false\
| stats count | eval status="Lookups initialized!" | table status