admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9ab7639020'
${ noResults }
Deploiement_Server/deployment-apps/DA-ITSI-CP-monitoring-alerting/default/macros.conf

222 lines
11 KiB
Raw Blame History

[itsi_summary_to_itsi_tracked_alerts_field_mapping]
definition = eval serviceid=itsi_service_id, itsi_kpi_id=kpiid, kpi_name=kpi, actual_time=_time\
| lookup service_kpi_lookup _key as itsi_service_id OUTPUT title AS service_name \
| convert ctime(actual_time) as actual_time
[itsi_aggregate_kpi_data]
definition = `get_itsi_summary_index` (indexed_is_service_aggregate::1 AND indexed_is_service_max_severity_event::0)
iseval = 0
[itsi_entity_kpi_data]
definition = `get_itsi_summary_index` (indexed_is_service_aggregate::0)
iseval = 0
[filter_to_open_episodes]
definition = lookup itsi_notable_group_system_lookup _key AS itsi_group_id OUTPUT is_active \
| search is_active=1 \
| lookup itsi_notable_group_user_lookup _key AS itsi_group_id OUTPUT severity as itsi_group_severity, status as itsi_group_status \
| search itsi_group_status!=5
[add_alert_trigger_fields(1)]
args = alert_trigger_reason
definition = eval alert_trigger_reason="$alert_trigger_reason$", groupingid="Episode Monitoring Alert"\
\
```Ensure that episode monitoring alerts emit their notable events at the time they ran, not the time of the notable they determined they should alert from```\
| eval _time=now()\
\
| eval spl_comment="Ensure that specifically reserved itsi fields are not present on these events"\
| `remove_itsi_notable_event_reserved_fields`\
\
| eval spl_comment="If the notable doesn't yet have an episode_contact field, this will add it in"\
`get_contact_for_alert_group`
[add_itsi_summary_token_fields_for_notables]
definition = eval alert_time=strftime(_time,"%l:%M %p %Z on %m/%d/%Y"), alert_severity_upper=upper(alert_severity)
iseval = 0
[itsi_sev_normal]
definition = 2
iseval = 0
[itsi_sev_critical]
definition = 6
iseval = 0
[itsi_sev_high]
definition = 5
iseval = 0
[itsi_sev_low]
definition = 3
iseval = 0
[itsi_sev_medium]
definition = 4
iseval = 0
[get_contact_for_alert_group]
definition = | lookup itsi_episode_contact_map alert_group OUTPUTNEW episode_contact_method, episode_contact_detail
iseval = 0
[filter_to_episodes_needing_all_clear_notable]
definition = tstats max(_time) as _time where `itsi_event_management_group_index` itsi_policy_id!="itsi_default_policy" earliest=-4h@h latest=now by itsi_group_id, source, severity\
| stats max(eval(if(severity>`itsi_sev_normal`,_time,null()))) as latest_unhealthy max(eval(if(source="*Episode Monitoring - All Services and KPIs Return to Normal*",_time,null()))) as latest_back_to_healthy by itsi_group_id\
| fillnull value=0 latest_back_to_healthy\
| where latest_unhealthy > latest_back_to_healthy\
| table itsi_group_id
iseval = 0
[itsi_sev_info]
definition = 1
iseval = 0
[itsi_sev_unknown]
definition = -1
iseval = 0
[itsi_apply_newly_created_episode_outlier(1)]
args = threshold
definition = apply itsi_episode_creation_frequency_trained_density_model threshold=$threshold$ as itsi_group_creation_cnt_outlier
iseval = 0
###
### The following macros were newly added in v 2.0
###
[add_itsi_service_monitoring_drilldowns]
definition = eval itsiDrilldownWeb="View Health", itsiDrilldownURI=case(tmp_ne_type=="SERVICE",printf("/app/itsi/homeview?serviceId=%s",serviceid),tmp_ne_type=="KPI_ENTITY" AND NOT match(entity_key,"N/A"),printf("/app/itsi/entity_detail?entity_key=%s",replace(entity_key,"=","%3D")),tmp_ne_type=="KPI_AGGREGATE",printf("/app/itsi/homeview?serviceId=%s&kpiId=%s",serviceid,kpiid),true(),printf("/app/itsi/homeview?serviceId=%s&kpiId=%s",serviceid,kpiid))\
\
|eval itsiDrilldownSearch=""
iseval = 0
[add_itsi_service_monitoring_ne_identifier_string]
definition = eval groupingid=coalesce(groupingid,case(tmp_ne_type="SERVICE","SVC:".service_name,tmp_ne_type="KPI_AGGREGATE","KPI:".service_name.":".kpi,tmp_ne_type="KPI_ENTITY","ENT:".service_name.":".kpi))
iseval = 0
[add_universal_alert_fields_to_notable(1)]
args = name
definition = eval spl_comment="Ensure that specifically reserved itsi fields are not present on these events"\
| `remove_itsi_notable_event_reserved_fields`\
\
| eval spl_comment="Convert key ITSI fields from the itsi_summary format to the itsi_tracked_alerts_format. This is hold-over logic from the original SHS correlation search that shipped with ITSI"\
| `itsi_summary_to_itsi_tracked_alerts_field_mapping`\
\
| eval spl_comment="Previously these two lookups were executed automatically based on automatic lookup props configs, but they have now been moved direcctly into the SPL here"\
| lookup itsi_kpi_attributes kpiid AS kpiid OUTPUTNEW\
| lookup itsi_episode_contact_map alert_group AS alert_group OUTPUTNEW episode_contact_detail AS episode_contact_detail episode_contact_method AS episode_contact_method\
\
| eval spl_comment="Because itsi_kpi_attributes lookup is now run inline above, we must execute itsiInclude filtering just afterwards"\
| search `filter_itsi_include_is_false`\
\
| eval spl_comment="Determine the type of notable for subsequent logic"\
| eval tmp_ne_type=case(match(kpiid, "SHKPI"), "SERVICE", is_service_aggregate=1, "KPI_AGGREGATE", 1=1, "KPI_ENTITY") \
\
| eval spl_comment="Add some additional helper fields to the notable that can be used to assist with titles and descriptions"\
| `add_itsi_summary_token_fields_for_notables`\
\
| eval spl_comment="Populate the required fields for universal alerting notable events"\
| eval severity_id=alert_level,vendor_severity=alert_severity_upper, src=case(tmp_ne_type="SERVICE",service_name,tmp_ne_type="KPI_AGGREGATE",service_name,tmp_ne_type="KPI_ENTITY",entity_title),\
signature=case(tmp_ne_type="SERVICE",service_name." - Service Health",tmp_ne_type="KPI_AGGREGATE",service_name." - ".kpi,tmp_ne_type="KPI_ENTITY",service_name." - ".kpi) \
\
| eval spl_comment="Populate the recommended fields for universal alerting notable events"\
| eval app="ITSI - Service Monitoring"\
| eval subcomponent=case(tmp_ne_type="SERVICE","Service Health",tmp_ne_type="KPI_AGGREGATE","Aggregate KPI",tmp_ne_type="KPI_ENTITY","Per-Entity KPI")\
\
| eval spl_comment="Populate the field used for the notable event identifier string which displays in the episode review timeline. Modify the macro to customize the timeline view"\
| `add_itsi_service_monitoring_ne_identifier_string`\
\
| eval spl_comment="Populate the notable drilldown fields via the following macro. Modify the macro to customize drilldowns"\
| `add_itsi_service_monitoring_drilldowns`\
\
| eval spl_comment="Customize the following macro implementation to perform any field additions or modifications before calling episode alert actions"\
| `preprocess_notable_event_fields_for_external_action`
iseval = 0
[filter_to_episodes_with_no_episode_monitoring_alerts(1)]
args = name
definition = append [\
| tstats max(severity) as alert_trigger_severity where earliest=-24h@h latest=now \
`itsi_event_management_group_index` (source="*Episode Monitoring*") (NOT source="*Episode Monitoring - Set Episode to Highest Alarm Severity*\
") by itsi_group_id source\
| eval tmp_datasource=1,alert_trigger_reason=coalesce(alert_trigger_reason, source)\
| table itsi_group_id alert_trigger_reason alert_trigger_severity tmp_datasource]\
\
| eventstats values(alert_trigger_reason) as episode_monitoring_alerts by itsi_group_id\
\
| eval spl_comment="When multiple Episode Monitoring searches have been enabled, the logic below will create one episode monitoring alert for each enabled episode monitoring correlation search. To create only one episode monitoring alert for the entire episode, change '$name$' to '*'"\
| search (NOT tmp_datasource=1) (NOT episode_monitoring_alerts = "$name$")
iseval = 0
[get_itsi_universal_index]
definition = index=* (index!=itsi_tracked_alerts* AND index!=itsi_grouped_alerts* AND sourcetype!=itsi_notable:*)
iseval = 0
[remove_itsi_notable_event_reserved_fields]
definition = fields - alert_type all_service_kpi_ids critical_count description drilldown* entity_lookup_field event_field_max_length event_id event_identifier* is_active is_use_event_time mod_time orig_* owner rid scoretype search_type severity sid status title
iseval = 0
[preprocess_notable_event_fields_for_external_action]
definition = eval spl_comment="Customize this macro implementation to perform any notable event field additions or modifications before calling episode alert actions"
iseval = 0
### Version 2.1 modifications
[itsi_get_severity_description(1)]
args = severity
definition = case($severity$=1, "1 - info", $severity$=2, "2 - normal", $severity$=3, "3 - low", $severity$=4, "4 - medium", $severity$=5, "5 - high", $severity$=6, "6 - critical")
iseval = 0
[itsi_get_default_analysis_fields]
definition = mvappend("src", "signature", "source", "service_name", "kpi", "entity_title", "alert_group")
iseval = 0
[filter_itsi_include_is_false]
definition = (NOT (itsiInclude IN ("f*", 0, "no")))
iseval = 0
[service_monitoring_itsi_include_default]
definition = "true"
iseval = 0
[use_kpi_attributes_for_defaults]
definition = false()
iseval = 0
### Version 2.2 modifications
[apply_entity_lookup_by_title(1)]
args = entity_lookup_field
definition = eval sec_grp="default_itsi_security_group" \
| lookup itsi_entities title as $entity_lookup_field$ OUTPUT _key as entity_key, title as entity_title, services._key as serviceid, sec_grp as sec_grp, retired as retired \
| where NOT retired=1\
| eval maintenance_object_type="entity"\
| lookup operative_maintenance_log maintenance_object_type, maintenance_object_key as entity_key OUTPUT _key as maintenance_log_key \
| eval in_maintenance=if(isnull(maintenance_log_key),0,1)\
| eval \
is_entity_defined=if(isnull(entity_key),"0","1"), \
entity_key=if(isnull(entity_key),"N/A",entity_key), \
entity_title=coalesce(entity_title,entity_name), \
is_service_aggregate="0", \
is_entity_in_maintenance=in_maintenance\
| fields - maintenance_object_key, maintenance_object_type, maintenance_log_key, in_maintenance, sec_grp\
| `filter_maintenance_entities`
iseval = 0
## Version 2.3 modifications
[enrich_entity_notables_with_entity_alias_and_info(1)]
args = entity_key
definition = eval spl_comment="This macro is shipped commented out for performance reasons. If if automatic entity enrichment is desired, uncomment the macro and update the entity_enrichment_fields_list macro to include the fields you want to automatically enrich"\
| noop ```lookup itsi_entities _key as $entity_key$ OUTPUT _itsi_informational_lookups _itsi_identifier_lookups\
| eval _itsi_entity_enrichment_fields=mv_to_json_array(mvappend(mvmap(_itsi_informational_lookups, "entity.info."._itsi_informational_lookups), mvmap(_itsi_identifier_lookups, "entity.alias."._itsi_identifier_lookups)))\
| rex mode=sed field=_itsi_entity_enrichment_fields "s/=/\":\"/g s/\[/{/g s/\]/}/g"\
| spath input=_itsi_entity_enrichment_fields\
| foreach "entity.alias.*" "entity.info.*" [| eval keep.<<FIELD>> = if(in("<<MATCHSTR>>", `entity_enrichment_fields_list`), '<<FIELD>>', null())]\
| fields - entity.info.* entity.alias.*\
| rename keep.entity.* as entity.*\
\
| eval spl_comment="After enrichment is done, pull certain CPMA fields automatically from the entity enrichment logic"\
| eval alert_group=coalesce(alert_group, 'entity.info.alert_group')```
iseval = 0
[entity_enrichment_fields_list]
definition = "alert_group", ""
iseval=0
Reference in new issue View Git Blame Copy Permalink