Deployement_Server_old/apps/splunk_monitoring_console/default/props.conf

[audittrail]
EXTRACT-search_id = search_id=\'(?<search_id>[^\']*?)\'
EXTRACT-apiStartTime = apiStartTime=\'(?<apiStartTime>[^\']*?)\'
EXTRACT-apiEndTime = apiEndTime=\'(?<apiEndTime>[^\']*?)\'
EXTRACT-search_string = search=\'(?<search>.*?)\',\sautojoin
LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group

[http_event_collector_metrics]
LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group

[splunk_resource_usage]
LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group
EVAL-data.search_props.label = if(isnull('data.search_props.label') AND isnotnull('data.search_props.sid'), "N/A", 'data.search_props.label')
EVAL-data.search_props.provenance = if(isnull('data.search_props.provenance') AND isnotnull('data.search_props.sid'), "unknown", 'data.search_props.provenance')

[kvstore]
LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group

[wlm_monitor]
LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group

[splunk_disk_objects]
LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group

[splunkd]
LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group
# splunk is not able to auto extract field names with parenthesis, have to explicitly extract them here
# note field name cannot be more than 32 characters
EXTRACT-compute_search_quota_max_ms  = Compute_Search_Quota_Max_Time\(ms\)=(?<compute_search_quota_max_ms>\d+(\.\d+)?)
EXTRACT-compute_search_quota_mean_ms = Compute_Search_Quota_Mean_Time\(ms\)=(?<compute_search_quota_mean_ms>\d+(\.\d+)?)
EXTRACT-dispatch_dir_reaper_max_ms  = Dispatch_Directory_Reaper_Max_Time\(ms\)=(?<dispatch_dir_reaper_max_ms>\d+(\.\d+)?)
EXTRACT-dispatch_dir_reaper_mean_ms = Dispatch_Directory_Reaper_Mean_Time\(ms\)=(?<dispatch_dir_reaper_mean_ms>\d+(\.\d+)?)
EXTRACT-get_bundleList_max_ms  = Get_BundleList_Max_Time\(ms\)=(?<get_bundleList_max_ms>\d+(\.\d+)?)
EXTRACT-get_bundleList_mean_ms = Get_BundleList_Mean_Time\(ms\)=(?<get_bundleList_mean_ms>\d+(\.\d+)?)
EXTRACT-get_auth_max_ms  = Get_Authentication_Max_Time\(ms\)=(?<get_auth_max_ms>\d+(\.\d+)?)
EXTRACT-get_auth_mean_ms = Get_Authentication_Mean_Time\(ms\)=(?<get_auth_mean_ms>\d+(\.\d+)?)
EXTRACT-get_serverInfo_max_ms  = Get_ServerInfo_Max_Time\(ms\)=(?<get_serverInfo_max_ms>\d+(\.\d+)?)
EXTRACT-get_serverInfo_mean_ms = Get_ServerInfo_Mean_Time\(ms\)=(?<get_serverInfo_mean_ms>\d+(\.\d+)?)
EXTRACT-bundle_dir_reaper_max_ms  = Bundle_Directory_Reaper_Max_Time\(ms\)=(?<bundle_dir_reaper_max_ms>\d+(\.\d+)?)
EXTRACT-bundle_dir_reaper_mean_ms = Bundle_Directory_Reaper_Mean_Time\(ms\)=(?<bundle_dir_reaper_mean_ms>\d+(\.\d+)?)
# fix typo
EXTRACT-enqueue_searches_count = enqueue_seaches_count=(?<enqueue_searches_count>\d+)

[splunkd_access]
LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group

[splunkd_remote_searches]
LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group

[scheduler]
LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group
EVAL-status = case(status=="success", "completed", status=="skipped", "skipped", status=="continued", "deferred")

[mongod]
LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group

[splunkd_conf]
LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group
EVAL-object_type = mvindex('data.asset_uri{}', 2)
EVAL-owner = mvindex('data.asset_uri{}', 0)
EVAL-app = mvindex('data.asset_uri{}', 1)
EVAL-object_name = mvindex('data.asset_uri{}', 3)
EVAL-optype_desc = 'data.optype_desc'
EVAL-from_repo = 'data.from_repo'
EVAL-to_repo = 'data.to_repo'
EVAL-status = 'data.status'