# This file contains possible settings you can use to configure ITSI inputs, register # user access roles, and import services and entities from CSV files or search strings. # # There is an inputs.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default. To set custom # configurations, place an inputs.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/local. # You must restart ITSI to enable new configurations. # # To learn more about configuration files (including precedence), see the # documentation located at # http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles #### # GLOBAL SETTINGS #### # Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top of # the file. # * Each conf file should have at most one default stanza. If there are # multiple default stanzas, settings are combined. In the case of # multiple definitions of the same setting, the last definition in the # file wins. # * If a setting is defined at both the global level and in a specific # stanza, the value in the specific stanza takes precedence. # log_level = # * This setting sets the logging level of each modular input. # * Logging levels are in order of most to least verbose. # * The logging level describes the type and/or quantity of output # that an application writes to a log file. # * Set the logging verbosity of each modular input to specify how # much and what kind of information it writes to the log file. # * Setting a log level gets you messages at that level and higher, # so default settings are typically INFO or WARN. [itsi_user_access_init] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_user_access_init://] * A modular input that runs once during startup (or at the user's request) to register user access roles and capabilities with the SA-UserAccess module. log_level = * The logging level of this input. * Default: WARN app_name = * The Splunk application that has the user access roles and capabilities. * Default: itsi registered_capabilities = [true|false] * Indicates whether or not capabilities have already been registered with ITSI. * If true, the 'itsi_user_access_init' input does not re-register capabilities. * If false, 'itsi_user_access_init' registers ITSI capabilities again. * Default: false [configure_itsi] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [configure_itsi://] * A configuration input that runs once (or at the user's request) to pull entities from the configuration file system into the App Key Value (KV) Store. log_level = * The logging level of this input. * Default: WARN is_configured = "" * Left it for backwards compatibility. [itsi_csv_import] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_csv_import://] * A modular input that periodically uploads CSV data into the KV Store. * The CSV file must contain headers for the import to work properly. * This input runs every 4 hours or after a Splunk software restart. log_level = * The logging level of this input. * Default: WARN import_from_search = * Indicates whether to import data from a CSV file or a Splunk search. * If "true", this input imports data from the search specified by 'search_string'. * If "false", this input imports CSV data from the path specified by 'csv_location'. * This setting is required, and the input does not run if the setting is not present. * There is no default. csv_location = * The location on disk of the CSV file to import. * NOTE: The disk must be local to the search head. Cloud storage is unacceptable. * This setting is required if you import data from a CSV file (if you set 'import_from_search' to "false"). * There is no default. search_string = * The Splunk search string that generates the data to import. * This setting is required if you import from a search string (if you set 'import_from_search' to "true"). * There is no default. service_security_group = * The ITSI team that the imported services belong to. * Use teams to group services by department, organization, or type of service and control access to the services. * This setting is required, and the input does not run if the setting is not present. * There is no default. index_earliest = * Specify the earliest _indextime, in minutes, for the time range of your search. * This setting is required if you import from a search string (if you set 'import_from_search' to "true"). * Default: -15m index_latest = * Specify the latest _indextime, in minutes, for the time range of your search. * This setting is required if you import from a search string (if you set 'import_from_search' to "true"). * Default: now entity_title_field = * The column name in the CSV file, or the field in the search, to import the entity title from. * This field serves as the informal identifier of the entity. * There is no default. entity_merge_field = * The column name in the CSV file, or the field in the search, to import the entity merge field from. * There is no default. entity_relationship_spec = * A dictionary of key:value pairs that specifies how 'entity_title_field' associates with other fields and in what relationship. * NOTE: This setting is unused. * For example, {"hosts": "vm1, vm2", "hostedBy": "host_id"}, or {"hosts": ["vm1", "vm2"], "hostedBy": "host_id"}. * For a record that has values for fields: vm1, vm2, host_id, <'entity_title_field' value>, three relationships are extracted: hosts hosts hostedBy * There is no default. selected_services = * A list of existing services to associate the imported entities with. * DEPRECATED. * There is no default. service_rel = * A list of existing service relationships. * DEPRECATED. * Use this setting to represent service dependencies in ITSI. * There is no default. service_dependents = * A list of child columns in the CSV file, or child fields in the search, that indicate service dependencies. * There is no default. entity_service_columns = * A list of services found in the CSV file or search that are to be associated with the entity for the row. * DEPRECATED. * There is no default. entity_identifier_fields = * A list of columns found in the CSV file or fields in the search that identify the entities (entity aliases). * There is no default. entity_description_column = * A list of columns found in the CSV file or fields in the search that describe the entities. * There is no default. entity_informational_fields = * A list of informational columns in the CSV file or fields in the search. * These are non-identifying fields for the entities. * There is no default. entity_field_mapping = * A key-value mapping of fields to re-map to other fields in your data. * Follows a = format. * For example, ip1 = dest, ip2 = dest, storage_type = volume * Use this setting to rename a field or column to an alias or info value. * There is no default. service_title_field = * The field to import the service title from. * This field is the informal identifier of the service. * There is no default. * This setting is required if you import services. service_description_column = * A list of columns in the CSV file or fields in the search that describe the services. * There is no default. service_tags_field = * A list of columns in the CSV file or fields in the search that add descriptor tags to the services. * There is no default. service_enabled = * Whether or not imported services are enabled. * Default: false service_template_field = * This setting determines which service template a service is linked to. * There is no default. template = * A dictionary of key:value pairs that maps entity rules to service templates. * For example, {"test_template_2":{"entity_rules":[{"rule_items": [{"rule_type":"matches","field_type":"alias","field":"whoa","value":"doe"}], "rule_condition":"AND"}]},"test_template_1":{"entity_rules":[{"rule_items": [{"rule_type":"matches","field_type":"alias","field":"blah","value":"da"}], "rule_condition":"AND"}]}} * CAUTION: Do not change this setting. * There is no default. backfill_enabled = * This setting determines whether to enable backfill on all Key Performance Indicators (KPIs) in linked service templates. * Backfill is the process of getting historical KPI data. * ITSI backfills the KPI summary index (itsi_summary). You must have indexed adequate raw data for the backfill period. * There is no default. update_type = * The update/insertion method when uploading entities. * This setting is required, and the input will not run if the setting is not present. * APPEND: ITSI makes no attempt to identify commonalities between entities. All information is appended to the table. * UPSERT: ITSI appends new entries. Existing entries (based on the value found in the title_field) have additional information appended to the existing record. * REPLACE: ITSI appends new entries. Existing entries (based on the value found in the title_field) are replaced by the new record value. * There is no default. interval = * The interval, in seconds, that determines how often this input runs. * There is no default. [itsi_async_csv_loader] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_async_csv_loader://] * A modular input that periodically uploads CSV data into the KV store. * The file must contain headers for the import to work properly. log_level = * The logging level of this input. * Default: WARN import_from_search = * Indicates whether to import data from a CSV file or a Splunk search. * If "true", this input imports data from the search specified by 'search_string'. * If "false", this input imports CSV data from the path specified by 'csv_location'. * This setting is required, and the input does not run if the setting is not present. * There is no default. csv_location = * The location on disk of the CSV file to import. * NOTE: The disk must be local to the search head. Cloud storage is unacceptable. * This setting is required if you import data from a CSV file (if you set 'import_from_search' to "false"). * There is no default. search_string = * The Splunk search string that generates the data to import. * This setting is required if you import from a search string (if you set 'import_from_search' to "true"). * There is no default. index_earliest = * Specify the earliest _indextime, in minutes, for the time range of your search. * This setting is required if you import from a search string (if you set 'import_from_search' to "true"). * Default: -15m index_latest = * Specify the latest _indextime, in minutes, for the time range of your search. * This setting is required if you import from a search string (if you set 'import_from_search' to "true"). * Default: now entity_title_field = * The column name in the CSV file, or the field in the search, to import the entity title from. * This field serves as the informal identifier of the entity. * There is no default. entity_merge_field = * The column name in the CSV file, or the field in the search, to import the entity merge field from. * There is no default. entity_relationship_spec = * A dictionary of key:value pairs that specifies how 'entity_title_field' associates with other fields and in what relationship. * NOTE: This setting is unused. * For example, {"hosts": "vm1, vm2", "hostedBy": "host_id"}, or {"hosts": ["vm1", "vm2"], "hostedBy": "host_id"}. * For a record that has values for fields: vm1, vm2, host_id, <'entity_title_field' value>, three relationships are extracted: hosts hosts hostedBy * There is no default. selected_services = * A list of existing services to associate the imported entities with. * DEPRECATED. * There is no default. service_rel = * A list of existing service relationships. * DEPRECATED. * Use this setting to represent service dependencies in ITSI. * There is no default. service_dependents = * A list of child columns in the CSV file, or child fields in the search, that indicate service dependencies. * There is no default. entity_service_columns = * A list of services found in the CSV file or search that are to be associated with the entity for the row. * DEPRECATED. * There is no default. entity_identifier_fields = * A list of columns found in the CSV file or fields in the search that identify the entities (entity aliases). * There is no default. entity_description_column = * A list of columns found in the CSV file or fields in the search that describe the entities. * There is no default. entity_informational_fields = * A list of informational columns in the CSV file or fields in the search. * These are non-identifying fields for the entities. * There is no default. entity_field_mapping = * A key-value mapping of fields to re-map to other fields in your data. * Follows a = format. * For example, ip1 = dest, ip2 = dest, storage_type = volume * Use this setting to rename a field or column to an alias or info value. * There is no default. service_title_field = * The field to import the service title from. * This field is the informal identifier of the service. * There is no default. * This setting is required if you import services. service_description_column = * A list of columns in the CSV file or fields in the search that describe the services. * There is no default. service_tags_field = * A list of columns in the CSV file or fields in the search that add descriptor tags to the services. * There is no default. update_type = * The update/insertion method when uploading entities. * This setting is required, and the input will not run if the setting is not present. * APPEND: ITSI makes no attempt to identify commonalities between entities. All information is appended to the table. * UPSERT: ITSI appends new entries. Existing entries (based on the value found in the title_field) have additional information appended to the existing record. * REPLACE: ITSI appends new entries. Existing entries (based on the value found in the title_field) are replaced by the new record value. * There is no default. [itsi_migration_queue] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_migration_queue://] * A modular input that checks the ITSI migration queue * If the queue is not empty, start a migration with params stored in the queue. log_level = * The logging level of this input. * Default: INFO [itsi_refresher] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_refresher://] * A modular input that processes deferred methods using a single queue processor. * Tracks relational objects and dependencies. * This input detects conflicts and ensures consistency across ITSI. log_level = * The logging level of this input. * Default: INFO [itsi_consumer] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_consumer://] * A modular input that processes deferred methods using multiple queues across the Splunk environment. log_level = * The logging level of this input. * Default: INFO number_of_thread = * Number of threads enabled for certain refresh queue jobs. * 0 or 1 means a single thread. * Default: 8 [itsi_backup_restore] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_backup_restore://] * A modular input that performs backup and restore operations by managing backup/restore jobs. * If you restore ITSI from a backup of an older version of ITSI, migration begins during the restore process. * The input runs runs every 5 seconds to check for the scheduled job. log_level = * The logging level of this input. * Default: INFO [itsi_scheduled_backup_caller] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_scheduled_backup_caller://] * A modular input that manages ITSI backup schedules. * For example, you might use this input if you want to back up ITSI every night at 1 am. log_level = * The logging level of this input. * Default: INFO [itsi_service_template_update_scheduler] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_service_template_update_scheduler://] * A modular input that performs a scheduled sync from service templates to services every 15 minutes. log_level = * The logging level of this input. * Default: INFO [itsi_backfill] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_backfill://] * A modular input that manages KPI backfill jobs. log_level = * The logging level of this input. * Default: INFO [itsi_notable_event_archive] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_notable_event_archive://] * A modular input that moves notable events from the KV store to the index every hour. owner = * Splunk cannot read the modular name unless a parameter is specified. Therefore, ITSI passes 'owner = '. [maintenance_minder] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [maintenance_minder://] * A modular input that runs every 60 seconds and populates the operative maintenance log based on configured maintenance windows. * This input is responsible for putting services into maintenance mode. log_level = * The logging level of this input. * Default: INFO [custom_threshold_window_minder] python.version = python3 [custom_threshold_window_minder://name] * A modular input that runs every 60 seconds and populates the operative Custom threshold Window log based on configured custom threshold windows. * This input is responsible for putting KPIs into custom threshold window. log_level = * The logging level of this input. * Default: INFO [custom_threshold_window_overlaps_detector://name] * A modular input that runs every 86400 seconds (24 hours) to populate the overlapping KPI for Custom threshold Windows. * This input is responsible for updating the overlapping KPIs log_level = * The logging level of this input. * Default: INFO [service_sandbox_status_updater://name] * A Job that will move all the Service Sandbox Objects to edit mode at restart. * This is responsible for updating the Service Sandbox objects status. log_level = * The logging level of this input. * Default: INFO [itsi_default_aggregation_policy_loader] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_default_aggregation_policy_loader://] * A modular input that loads the default aggregation policy. * The default aggregation policy receives notable events that do not match the filtering criteria of any other aggregation policies. log_level = * The logging level of this input. * Default: INFO [itsi_default_correlation_search_acl_loader] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_default_correlation_search_acl_loader://] * A modular input that loads the Access Control List (ACL) for the default correlation searches provided with ITSI: "Monitor Critical Services Based on Health Score", "Splunk App for Infrastructure Alerts", and "Normalized Correlation Search". * This input pulls ACL information from the KV store. log_level = * The logging level of this input. * Default: INFO [itsi_notable_event_hec_init] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_notable_event_hec_init://] * A modular input that initializes HEC client on a search head by creating and showing pertinent HEC tokens. * A new HEC token is acquired during a Splunk restart. * The internal system populates the new HEC token automatically. log_level = * The logging level of this input. * Default: INFO [itsi_notable_event_actions_queue_consumer] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_notable_event_actions_queue_consumer://name] * A modular input that acts as a consumer of the queue for executing notable event actions, such as pinging a host or running a script. * This setting is primarily used by the rules engine. exec_delay_time = * The amount of time, in seconds, to delay execution of a notable event action. * Default: 0 batch_size = * The number of jobs to pick up in a single request from the notable event actions queue. * Default: 5 timeout = * The timeout period, in seconds, that ITSI uses when a user reclaims an expired job. * Default: 7200 (2 hours) system_user_name = * The username of the system. * Default: splunk-system-user [itsi_age_kpi_alert_value_cache] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_age_kpi_alert_value_cache://] * A modular input that cleans up the aged entries in the KPI summary cache. retentionTimeInSec = * Aging/retention time for entries present in the KPI summary cache. log_level = * The logging level of this input. * Default: INFO [itsi_summary_metrics_backfill] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_summary_metrics_backfill://] * A modular input that migrates data from the itsi_summary index to the itsi_summary_metrics index by checking the metrics_backfill queue. disabled = * Whether or not the modular input for metrics backfill is disabled * Default : 1 log_level = * The logging level of this input. * Default: INFO metrics_backfill_throttle = * The amount of time, in seconds, that the backfill function pauses between executing metrics backfill searches. * Default: 10 metrics_backfill_length = * The amount of time, in days, that the metrics backfill searches look back to migrate data into the itsi_summary_metrics index. * Default: 3 metrics_backfill_concurrent_searches = * The number of concurrent searches the backfill function runs at the same time. Having more concurrent searches allows backfill searches to complete faster but puts more load on the indexers. [itsi_suite_enforcer] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_suite_enforcer://] * A modular input that enforces suite editions. log_level = * The logging level of this input. * Default: INFO [itsi_backfill_record_cleanup] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_backfill_record_cleanup://] * A modular input that cleans backfill record. log_level = * The logging level of this input. * Default: INFO interval = * The interval, in seconds, that determines how often this input runs. * There is no default. [itsi_content_pack_authorship] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. build_timeout = 3600 * If content pack stuck in build state for more than build_timeout * which is default to 1 hour (3600 seconds) then it will be marked as Failed [itsi_content_pack_authorship://] * A modular input that checks the ITSI content pack authorship queue * If the queue is not empty, start a process to create content packs in the queue log_level = * The logging level of this input. * Default: INFO [itsi_upgrade_readiness] python.version = {default|python|python2|python3} * In Splunk Enterprise version 8.0 and later, this attribute lets you select which Python version to use. [itsi_upgrade_readiness://] * A modular input that checks for malformed KVStore objects in preparation for upgrade log_level = * The logging level of this input. * Default: INFO interval = * The interval, in seconds, that determines how often this input runs. * There is no default. [itsi_high_scale_ea] python.version = {default|python|python2|python3} [itsi_high_scale_ea://name] * This Modular Input enables or disables High Scale Event Analytics EA pipeline. When it is enabled, it will disable classic EA by disabling 'itsi_event_grouping' search and updating search text to remove / stop rules engine cron job and enable High Scale EA. When it is disabled, it will update the 'itsi_event_grouping' search text to add rules engine cron job. but will not enable the search, User will decide when to enable classic rules engine by enabling search * Interval is not specified - It will run only on start-up & when its enabled from UI (Data Inputs) log_level = * The logging level of this input. * Default: INFO [itsi_at_saved_search_rewriter] python.version = {default|python|python2|python3} [itsi_at_saved_search_rewriter://] * This Modular Input rewrites AT saved searches based on the feature flag itsi-at-outlier-removal. If the flag is enabled it uses 'applyat' command for the AT saved searches which is a new command starting in 4.17.0 which provides outlier removal feature before Adaptive Thresholding, else it uses 'itsiat', the older version of AT. * Interval is not specified - It will run only on start-up & when its enabled from UI (Data Inputs) log_level = * The logging level of this input. * Default: INFO [script://$SPLUNK_HOME/etc/apps/SA-ITOA/bin/itsi_adhoc_re_init.py] * This Modular Input script triggers the Rules Engine java process. Use the itsichangerulesengineprocess command which is used to toggle the itsi-rulesengine-adhoc feature and switch between Realtime mode and Adhoc mode. command.arg.1 = * First command line argument provided to initialize Rules Engine. Do not change. * Default: -J-Xmx8192M command.arg.2 = * Second command line argument provided to initialize Rules Engine. Do not change. * Default: -Dlog4j.configurationFile=../default/log4j_rules_engine.xml command.arg.3 = * Third command line argument provided to initialize Rules Engine. Do not change. * Default: -DitsiRulesEngine.configurationFile=../default/itsi_rules_engine.properties command.arg.4 = * Fourth command line argument provided to initialize Rules Engine. Do not change. * Default: -Dfile.encoding=UTF-8 command.arg.5 = * Fifth command line argument provided to initialize Rules Engine. Do not change. * Default: -Dconfig.file=../lib/java/event_management/akka_application.conf command.arg.6 = * Sixth command line argument provided to initialize Rules Engine. Do not change. * Default: -DitsiRulesEngine.localConfigurationFile=../local/itsi_rules_engine.properties command.arg.7 = * Seventh command line argument provided to initialize Rules Engine. Do not change. * Default: modInput