[ITSI Import Objects - Get_SIM_AWS_EC2] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = AccountID,Region action.itsi_import_objects.param.entity_informational_fields = SignalFxRealm,entity_type,SignalFxOrganizationID,SignalFxNavigator,SignalFxCloudServiceId,SignalFxCloudRegion,SignalFxCloudAccountId,InstanceType,ImageId,Cloud action.itsi_import_objects.param.entity_merge_field = InstanceId action.itsi_import_objects.param.entity_title_field = InstanceId action.itsi_import_objects.param.entity_type_field = entity_type_field action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert alert.track = 0 cron_schedule = */10 * * * * dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 disabled=1 search = | mcatalog values(_dims) where `itsi-cp-observability-indexes` AND namespace=AWS/EC2 AND aws_account_id=* AND InstanceId=* by InstanceId, aws_account_id, aws_region, aws_image_id, aws_instance_type, sf_organizationID, sf_realm | dedup InstanceId | rename InstanceId as dim.InstanceId aws_account_id as dim.AccountID aws_region as dim.Region aws_image_id as dim.ImageId aws_instance_type as dim.InstanceType sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "AWS", entity_type="AWS EC2", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", SignalFxNavigator = "AWS%20instances", SignalFxCloudRegion = "aws_region:" + Region, SignalFxCloudServiceId = InstanceId, SignalFxCloudAccountId = "aws_account_id:" + AccountID [ITSI Import Objects - Get_SIM_AWS_Lambdas] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = ITSIUniqueId,Region,AccountID action.itsi_import_objects.param.entity_informational_fields = entity_type,entity_description,SignalFxRealm,SignalFxOrganizationID,SignalFxNavigator,SignalFxCloudServiceId,SignalFxCloudRegion,SignalFxCloudAccountId,Cloud action.itsi_import_objects.param.entity_merge_field = FunctionName action.itsi_import_objects.param.entity_title_field = FunctionName action.itsi_import_objects.param.entity_type_field = entity_type_field action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert alert.track = 0 cron_schedule = */10 * * * * dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 disabled=1 search = | mcatalog values(_dims) where `itsi-cp-observability-indexes` AND aws_account_id=* AND namespace="AWS/Lambda" AND Resource=* by aws_function_name, aws_account_id, aws_region, sf_organizationID, sf_realm | dedup aws_function_name, aws_account_id, aws_region | rename Resource as dim.Resource aws_function_name as dim.FunctionName aws_account_id as dim.AccountID aws_region as dim.Region sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "AWS", entity_type="AWS Lambda", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description="Function name: " + FunctionName + " in Region: " + Region + " in Account: " + AccountID, SignalFxNavigator = "lambda", SignalFxCloudRegion = "aws_region:" + Region, SignalFxCloudServiceId = FunctionName, SignalFxCloudAccountId = "aws_account_id:" + AccountID, ITSIUniqueId = AccountID + Region + FunctionName [ITSI Import Objects - Get_SIM_Azure_Functions] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = ITSIUniqueId,Location,SubscriptionId,ResourceId action.itsi_import_objects.param.entity_informational_fields = entity_type,entity_description,SubscriptionName,SignalFxRealm,SignalFxOrganizationID,SignalFxNavigator,SignalFxCloudServiceId,SignalFxCloudRegion,SignalFxCloudAccountId,ResourceGroupName,Cloud action.itsi_import_objects.param.entity_merge_field = FunctionName action.itsi_import_objects.param.entity_title_field = FunctionName action.itsi_import_objects.param.entity_type_field = entity_type_field action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = */10 * * * * dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 disabled=1 search = | mcatalog values(_dims) where `itsi-cp-observability-indexes` AND azure_resource_id=* AND is_Azure_Function=true by azure_resource_name, azure_region, azure_resource_id, azure_resource_group_name, azure_subscription_display_name, subscription_id, sf_organizationID, sf_realm | dedup azure_resource_name, azure_region, azure_resource_id | rename azure_resource_id as dim.ResourceId azure_resource_name as dim.FunctionName azure_region as dim.Location azure_resource_group_name as dim.ResourceGroupName azure_subscription_display_name as dim.SubscriptionName subscription_id as dim.SubscriptionId sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "Azure", entity_type="Azure Functions", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description="Function name: " + FunctionName + " in Location: " + Location + " in Subscription: " + SubscriptionId, SignalFxNavigator = "azurefunctions", SignalFxCloudRegion = "azure_region:" + Location, SignalFxCloudServiceId = FunctionName, SignalFxCloudAccountId = "subscription_id:" + SubscriptionId, ITSIUniqueId = SubscriptionId + Location + FunctionName [ITSI Import Objects - Get_SIM_GCP_Functions] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = ITSIUniqueId,Zone,ProjectId action.itsi_import_objects.param.entity_informational_fields = entity_description,entity_type,SignalFxRealm,SignalFxOrganizationID,SignalFxNavigator,SignalFxCloudServiceId,SignalFxCloudRegion,SignalFxCloudAccountId,ProjectNumber,ProjectName,Id,Cloud action.itsi_import_objects.param.entity_merge_field = FunctionName action.itsi_import_objects.param.entity_title_field = FunctionName action.itsi_import_objects.param.entity_type_field = entity_type_field action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = */10 * * * * dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 disabled=1 search = | mcatalog values(_dims) where `itsi-cp-observability-indexes` AND function_name=* AND gcp_id=* by gcp_id, function_name, region, project_id, gcp_project_number, gcp_project_name, sf_organizationID, sf_realm | dedup gcp_id | rename gcp_id as dim.Id function_name as dim.FunctionName region as dim.Zone project_id as dim.ProjectId gcp_project_number as dim.ProjectNumber gcp_project_name as dim.ProjectName sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "GCP", entity_type="GCP Cloud Functions", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description="Project: " + ProjectId + ", Function name: " + FunctionName + ", Zone: " + Zone, SignalFxNavigator = "gcp%20cloudfunctions", SignalFxCloudRegion = "zone:" + Zone, SignalFxCloudServiceId = FunctionName, SignalFxCloudAccountId = "project_id:" + ProjectId, ITSIUniqueId = ProjectId + Zone + FunctionName [ITSI Import Objects - Splunk-APM Application Entity Search] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_description_fields = description action.itsi_import_objects.param.entity_informational_fields = SplunkApmEntity,sf_environment,type,sf_organizationID,sf_realm,splunkAPMLinkUrl,splunkApmLinkbase,splunkApmLinkFilters1,splunkApmLinkFilters2,splunkApmLinkFilters3,splunkApmLinkSelectedNode,splunkApmLinkSelectedNodeTags,splunkApmLinkSelectedNodeTagValue,endTime,startTime action.itsi_import_objects.param.entity_merge_field = SplunkApmEntity action.itsi_import_objects.param.entity_title_field = sf_service action.itsi_import_objects.param.entity_type_field = entityType action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert alert.track = 0 cron_schedule = 0 * * * * dispatch.earliest_time = -60m@m dispatch.latest_time = now enableSched = 1 disabled=1 schedule_window = auto search = | mstats avg(*) span=5m WHERE `itsi-cp-observability-indexes` AND sf_environment="*" GROUPBY sf_environment sf_service sf_streamLabel sf_organizationID sf_realm \ | eval entityType="SplunkAPM", description="Splunk Application Performance Monitoring (APM)", type="SplunkAPM", SplunkApmEntity = sf_service + "-" + sf_environment + "-" + sf_organizationID + "-" + sf_realm \ | table SplunkApmEntity sf_service sf_environment entityType description type sf_organizationID sf_realm [ITSI Import Objects - Get_OS_Hosts] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = ITSIUniqueId action.itsi_import_objects.param.entity_informational_fields = extracted_host,entity_type,SignalFxRealm,SignalFxOrganizationID,SignalFxNavigator,SignalFxCloudServiceId,Cloud,computationId action.itsi_import_objects.param.entity_merge_field = host_name action.itsi_import_objects.param.entity_title_field = host_name action.itsi_import_objects.param.entity_type_field = entity_type action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert alert.track = 0 cron_schedule = */10 * * * * dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 disabled=1 search = | mcatalog values(_dims) where `itsi-cp-observability-indexes` AND cluster!=* AND host.name=* by host.name,extracted_host, computationId, sf_organizationID, sf_realm | dedup host.name | rename host.name as dim.host_name extracted_host as dim.extracted_host computationId as dim.computationId sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "My Data Center Hosts", entity_type="OS Hosts", SignalFxNavigator = "OS%20Host", SignalFxCloudServiceId = host_name, ITSIUniqueId = host_name + "_" + computationId [ITSI Import Objects - Get_SIM_GCP_Compute] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = ProjectId,Zone,InstanceId,InstanceName,ITSIUniqueId action.itsi_import_objects.param.entity_informational_fields = Cloud,service,entity_type,entity_description_field,SignalFxRealm,SignalFxOrganizationID,SignalFxNavigator,SignalFxCloudServiceId,SignalFxCloudRegion,SignalFxCloudAccountId,ProjectNumber,ProjectName,MachineType action.itsi_import_objects.param.entity_merge_field = gcp_id action.itsi_import_objects.param.entity_title_field = gcp_id action.itsi_import_objects.param.entity_type_field = entity_type_field action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = */10 * * * * dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 disabled=1 search = | mcatalog values(_dims) where `itsi-cp-observability-indexes` AND gcp_id=* AND service=compute by gcp_id, service, instance_id, instance_name, zone, project_id, gcp_project_number, gcp_project_name, gcp_machine_type, sf_organizationID, sf_realm | dedup instance_id | rename gcp_id as dim.gcp_id service as dim.service instance_id as dim.InstanceId instance_name as dim.InstanceName zone as dim.Zone project_id as dim.ProjectId gcp_project_number as dim.ProjectNumber gcp_project_name as dim.ProjectName gcp_machine_type as dim.MachineType sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud = "GCP", entity_type="GCP Compute Engine", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description_field="Project ID: " + ProjectId + ", Instance name: " + InstanceName, SignalFxNavigator = "gcp%20compute", SignalFxCloudRegion = "zone:" + Zone, SignalFxCloudServiceId = gcp_id, SignalFxCloudAccountId = "gcp_project_number:" + ProjectNumber, ITSIUniqueId = ProjectId + InstanceName [ITSI Import Objects - Get_SIM_Azure_VM] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = ResourceId,ITSIUniqueId,Location,SubscriptionId action.itsi_import_objects.param.entity_informational_fields = entity_type,Cloud,ResourceGroupName,SignalFxCloudAccountId,SignalFxCloudRegion,SignalFxCloudServiceId,SignalFxNavigator,SignalFxOrganizationID,SignalFxRealm,SubscriptionName,entity_description action.itsi_import_objects.param.entity_merge_field = ResourceName action.itsi_import_objects.param.entity_title_field = ResourceName action.itsi_import_objects.param.entity_type_field = entity_type_field action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert alert.track = 0 cron_schedule = */10 * * * * dispatch.earliest_time = -15m dispatch.latest_time = now enableSched = 1 disabled=1 search = | mcatalog values(_dims) where `itsi-cp-observability-indexes` AND azure_resource_id=* AND (resource_type="Microsoft.Compute/virtualMachines" OR resource_type="Microsoft.ClassicCompute/virtualMachines" OR resource_type="Microsoft.Compute/virtualMachineScaleSets/virtualMachines") by azure_resource_id, azure_resource_name, azure_region, azure_resource_group_name, azure_subscription_display_name, subscription_id, sf_organizationID, sf_realm | dedup azure_resource_id, azure_resource_name | rename azure_resource_id as dim.ResourceId azure_resource_name as dim.ResourceName azure_region as dim.Location azure_resource_group_name as dim.ResourceGroupName azure_subscription_display_name as dim.SubscriptionName subscription_id as dim.SubscriptionId sf_organizationID as dim.SignalFxOrganizationID sf_realm as dim.SignalFxRealm | fields dim.* | rename dim.* as * | eval Cloud="Azure", entity_type="Azure VM", entity_type_field=entity_type + ",Splunk Infrastructure Monitoring", entity_description="Resource ID: " + ResourceId + ", Resource name: " + ResourceName, SignalFxNavigator = "azurevirtualmachines", SignalFxCloudRegion = "azure_region:" + Location, SignalFxCloudServiceId = ResourceName, SignalFxCloudAccountId = "subscription_id:" + SubscriptionId, ITSIUniqueId = ResourceId + ResourceName [ITSI Import Objects - Get_RUM_APPS] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = app,sf_environment,app_version,os_name action.itsi_import_objects.param.entity_informational_fields = computationId,sf_organizationID,sf_product,sf_realm,entity_type_field action.itsi_import_objects.param.entity_merge_field = app_identifier action.itsi_import_objects.param.entity_title_field = app_identifier action.itsi_import_objects.param.entity_type_field = entity_type action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = */10 * * * * dispatch.earliest_time = -4h dispatch.latest_time = now enableSched = 1 disabled=1 search = | mcatalog values(_dims) where `itsi-cp-observability-indexes` AND app=* AND (os.name=Android OR os.name=iOS) by app, app.version, computationId, sf_environment, sf_organizationID, sf_product, sf_realm, os.name | eval app_version='app.version', os_name='os.name' | eval entity_type="RUM App Metrics", entity_type_field=entity_type+", Real User Monitoring", app_identifier= app +":"+ app_version +":"+ os_name +":"+ sf_environment +":"+ sf_organizationID | dedup app_identifier [ITSI Import Objects - Get_RUM_BROWSER] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_description_fields = entity_type_field action.itsi_import_objects.param.entity_identifier_fields = app,sf_environment,sf_ua_browsername,sf_ua_osname action.itsi_import_objects.param.entity_informational_fields = computationId,sf_organizationID,sf_product,sf_realm action.itsi_import_objects.param.entity_merge_field = browsers action.itsi_import_objects.param.entity_title_field = browsers action.itsi_import_objects.param.entity_type_field = entity_type action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = */10 * * * * dispatch.earliest_time = -4h dispatch.latest_time = now enableSched = 1 disabled=1 search = | mcatalog values(_dims) where `itsi-cp-observability-indexes` AND app=* AND (sf_ua_osname=Linux OR sf_ua_osname=Windows OR sf_ua_osname="Mac OS X") by app, computationId, sf_environment, sf_organizationID, sf_product, sf_realm, sf_ua_browsername, sf_ua_osname | eval entity_type="RUM Browser Metrics", entity_type_field=entity_type+", Real User Monitoring", browsers= sf_ua_browsername +":"+ app +":"+ sf_ua_osname | dedup browsers [ITSI Import Objects - Get_RUM_SYNTHETICS] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_description_fields = entity_type_field action.itsi_import_objects.param.entity_identifier_fields = app,sf_environment,sf_ua_browsername,sf_ua_osname action.itsi_import_objects.param.entity_informational_fields = computationId,sf_organizationID,sf_product,sf_realm action.itsi_import_objects.param.entity_merge_field = syn_browsers action.itsi_import_objects.param.entity_title_field = syn_browsers action.itsi_import_objects.param.entity_type_field = entity_type action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = */10 * * * * dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 disabled=1 search = | mcatalog values(_dims) where `itsi-cp-observability-indexes` AND app=* AND (sf_ua_osname=Rigor) by app, computationId, sf_environment, sf_organizationID, sf_product, sf_realm, sf_ua_browsername, sf_ua_osname | eval entity_type="RUM Synthetic Metrics", entity_type_field=entity_type+", Real User Monitoring", syn_browsers=sf_ua_browsername +":"+ app +":"+ sf_ua_osname | dedup syn_browsers # Added in v3.0.0 [ITSI Import Objects - SSM_get_entities_api] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = test_id action.itsi_import_objects.param.entity_informational_fields = sf_realm action.itsi_import_objects.param.entity_merge_field = test action.itsi_import_objects.param.entity_title_field = test action.itsi_import_objects.param.entity_type_field = test_type action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = 15 * * * * disabled = 1 dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 search = | mstats count(_value) as mval WHERE `itsi-cp-observability-indexes` AND metric_name=* AND test_type=api BY test, test_type, test_id, sf_realm | eval test_type="Synthetic API Test" | table test, test_id, test_type, sf_realm [ITSI Import Objects - SSM_get_entities_browser] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = test_id action.itsi_import_objects.param.entity_informational_fields = sf_realm action.itsi_import_objects.param.entity_merge_field = test action.itsi_import_objects.param.entity_title_field = test action.itsi_import_objects.param.entity_type_field = test_type action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = 15 * * * * disabled = 1 dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 search = | mstats count(_value) as mval WHERE `itsi-cp-observability-indexes` AND metric_name=* AND test_type=browser BY test, test_type, test_id, sf_realm | eval test_type="Synthetic Browser Test" | table test, test_id, test_type, sf_realm [ITSI Import Objects - SSM_get_entities_http] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = test_id action.itsi_import_objects.param.entity_informational_fields = sf_realm action.itsi_import_objects.param.entity_merge_field = test action.itsi_import_objects.param.entity_title_field = test action.itsi_import_objects.param.entity_type_field = test_type action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = 15 * * * * disabled = 1 dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 search = | mstats count(_value) as mval WHERE `itsi-cp-observability-indexes` AND metric_name=* AND test_type=http BY test, test_type, test_id, sf_realm | eval test_type="Synthetic HTTP Test" | table test, test_id, test_type, sf_realm