[itsi_example_kpi_collection]
title=Templates
description=Example KPIs
_owner=nobody
kpis = [{"eventstatop": "sum", "search_time_series_aggregate": "index=main error | timechart count(host) AS aggregate", "search_alert_earliest": "5", "search_occurrences": 1.0, "alert_eval": "| eval aggregate_target=case('aggregate'>=88, \"critical~~~#B50101~~~6\", 'aggregate'>=75, \"medium~~~#FCB64E~~~4\", 'aggregate'>=50, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\" | eval alert_entity=\"aggregate\" | eval alert_value=aggregate | eval alert_target=aggregate_target | eval alert_severity=aggregate_severity | eval alert_color=aggregate_color | eval alert_level=aggregate_level", "gap_severity_value": "-1", "threshold_eval": "| eval threshold_target=case('host'>=0, \"info~~~#AED3E5~~~1\", isnum('host'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=threshold_target \"(?<threshold_severity>.*)~~~(?<threshold_color>.*)~~~(?<threshold_level>.*)\"", "search_alert": " index=main error  | stats count(host) AS host count AS has_data  | eval aggregate = 'host' | eval aggregate_target=case('aggregate'>=88, \"critical~~~#B50101~~~6\", 'aggregate'>=75, \"medium~~~#FCB64E~~~4\", 'aggregate'>=50, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\" | eval alert_entity=\"aggregate\" | eval alert_value=aggregate | eval alert_target=aggregate_target | eval alert_severity=aggregate_severity | eval alert_color=aggregate_color | eval alert_level=aggregate_level | stats list(alert_value) AS alert_values first(alert_value) AS alert_value list(alert_entity) AS alert_entities first(alert_entity) AS alert_entity values(alert_color) AS alert_color values(alert_level) AS alert_level count by alert_severity | sort - alert_level | search count>=1 | head 1 | eval service=\"TemplateService\" | eval serviceid=\"552eb12ee13823052f16ec41\" | eval urgency=tonumber(\"5\") | eval kpi=\"Count Based Ad Hoc KPI\" | eval kpiid=\"0b47fc3d886a8309fb738850\" | eval alert_period=\"5\" | addinfo | eval _time=info_max_time | fields - info* | fields _time *", "_owner": "nobody", "search_entities": "", "unit": "ct", "search_aggregate": " index=main error  | stats count(host) AS host   | rename host AS aggregate", "search_alert_entities": "", "target": "", "type": "kpis_primary", "aggregate_thresholds": {"gaugeMin": 0.0, "renderBoundaryMax": 96.8, "isMaxStatic": false, "baseSeverityColorLight": "#E3F0F6", "metricField": "aggregate", "baseSeverityColor": "#AED3E5", "gaugeMax": 96.8, "isMinStatic": true, "baseSeverityValue": 1.0, "renderBoundaryMin": 0.0, "thresholdLevels": [{"severityValue": 2.0, "severityLabel": "normal", "severityColorLight": "#DCEFD7", "severityColor": "#99D18B", "thresholdValue": 50.0}, {"severityValue": 4.0, "severityLabel": "medium", "severityColorLight": "#FEE6C1", "severityColor": "#FCB64E", "thresholdValue": 75.0}, {"severityValue": 6.0, "severityLabel": "critical", "severityColorLight": "#E5A6A6", "severityColor": "#B50101", "thresholdValue": 88.0}], "baseSeverityLabel": "info", "kpi_template_kpi_id": "itsi_count_based_adhoc_kpi","search": "index=main error | timechart count(host) AS aggregate span=5m "}, "base_search": "index=main error", "aggregate_statop": "count", "dataModelSpecification": "", "entity_thresholds": {"gaugeMin": 0.0, "renderBoundaryMax": 0.0, "isMaxStatic": false, "baseSeverityColorLight": "#E3F0F6", "metricField": "host", "baseSeverityColor": "#AED3E5", "gaugeMax": 0.0, "isMinStatic": true, "baseSeverityValue": 1.0, "renderBoundaryMin": 0.0, "thresholdLevels": [{"severityValue": 1.0, "severityLabel": "info", "severityColorLight": "#E3F0F6", "severityColor": "#AED3E5", "thresholdValue": "0"}], "baseSeverityLabel": "info", "search": ""}, "target_field": "host", "entity_id_fields": "", "entity_breakdown_id_fields": "", "gap_severity_color": "#CCCCCC", "field": "", "threshold_field": "host", "description": "Count of all mentions of error in the main index.  index=main *error* |stats count", "search_type": "adhoc", "urgency": "5", "alert_period": "5", "source": "", "kpi_base_search": " index=main error ", "aggregate_eval": "| eval aggregate_target=case('aggregate'>=88, \"critical~~~#B50101~~~6\", 'aggregate'>=75, \"medium~~~#FCB64E~~~4\", 'aggregate'>=50, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\"", "gap_severity_color_light": "#EEEEEE", "entity_alias_fields": null, "gap_severity": "unknown", "search_buckets": "", "datamodel_object": "", "entity_alias_filtering_fields": null, "alert_on": "aggregate", "cron_schedule": "3-59/5 * * * *", "search_time_compare": " index=main error [ | stats count | addinfo | eval search= \"earliest=\" + tostring(info_min_time-(info_max_time-info_min_time)) + \" latest=\" + tostring(info_max_time) | fields search ]   | addinfo | eval bucket=if(_time<info_max_time-((info_max_time-info_min_time)/2), \"last_window\", \"current_window\") | stats count(host) AS host  BY bucket | reverse | delta host AS window_delta | search bucket=current_window | eval window_direction=if(window_delta >0, \"increase\", if(window_delta < 0, \"decrease\", \"none\"))  | rename host AS aggregate", "search_time_series_entities": "", "kpi_template_kpi_id": "itsi_percentage_based_adhoc_kpi", "search": " index=main error  | stats count(host) AS host   | eval aggregate = 'host'", "title": "Count Based Ad Hoc KPI", "search_time_series": "index=main error | timechart count(host) AS aggregate"}, {"eventstatop": "avg", "search_time_series_aggregate": "index=* sourcetype=someperformance | timechart avg(avg_cpu_load) AS aggregate", "search_alert_earliest": "5", "search_occurrences": 1.0, "alert_eval": "| eval aggregate_target=case('aggregate'>=100, \"critical~~~#B50101~~~6\", 'aggregate'>=90, \"medium~~~#FCB64E~~~4\", 'aggregate'>=50, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\" | eval alert_entity=\"aggregate\" | eval alert_value=aggregate | eval alert_target=aggregate_target | eval alert_severity=aggregate_severity | eval alert_color=aggregate_color | eval alert_level=aggregate_level", "gap_severity_value": "-1", "threshold_eval": "| eval threshold_target=case('avg_cpu_load'>=0, \"info~~~#AED3E5~~~1\", isnum('avg_cpu_load'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=threshold_target \"(?<threshold_severity>.*)~~~(?<threshold_color>.*)~~~(?<threshold_level>.*)\"", "search_alert": " index=* sourcetype=someperformance  | stats avg(avg_cpu_load) AS avg_cpu_load count AS has_data  | eval aggregate = 'avg_cpu_load' | eval aggregate_target=case('aggregate'>=100, \"critical~~~#B50101~~~6\", 'aggregate'>=90, \"medium~~~#FCB64E~~~4\", 'aggregate'>=50, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\" | eval alert_entity=\"aggregate\" | eval alert_value=aggregate | eval alert_target=aggregate_target | eval alert_severity=aggregate_severity | eval alert_color=aggregate_color | eval alert_level=aggregate_level | stats list(alert_value) AS alert_values first(alert_value) AS alert_value list(alert_entity) AS alert_entities first(alert_entity) AS alert_entity values(alert_color) AS alert_color values(alert_level) AS alert_level count by alert_severity | sort - alert_level | search count>=1 | head 1 | eval service=\"TemplateService\" | eval serviceid=\"552eb12ee13823052f16ec41\" | eval urgency=tonumber(\"5\") | eval kpi=\"Percentage Based Ad Hoc KPI\" | eval kpiid=\"8a0029c10619c8264ecbe08b\" | eval alert_period=\"5\" | addinfo | eval _time=info_max_time | fields - info* | fields _time *", "_owner": "nobody", "search_entities": "", "unit": "%", "search_aggregate": " index=* sourcetype=someperformance  | stats avg(avg_cpu_load) AS avg_cpu_load   | rename avg_cpu_load AS aggregate", "search_alert_entities": "", "target": "", "type": "kpis_primary", "aggregate_thresholds": {"gaugeMin": 0.0, "renderBoundaryMax": 100.0, "isMaxStatic": true, "baseSeverityColorLight": "#E3F0F6", "metricField": "aggregate", "baseSeverityColor": "#AED3E5", "gaugeMax": 100.0, "isMinStatic": true, "baseSeverityValue": 1.0, "renderBoundaryMin": 0.0, "thresholdLevels": [{"severityValue": 2.0, "severityLabel": "normal", "severityColorLight": "#DCEFD7", "severityColor": "#99D18B", "thresholdValue": 50.0}, {"severityValue": 4.0, "severityLabel": "medium", "severityColorLight": "#FEE6C1", "severityColor": "#FCB64E", "thresholdValue": 90.0}, {"severityValue": 6.0, "severityLabel": "critical", "severityColorLight": "#E5A6A6", "severityColor": "#B50101", "thresholdValue": 100.0}], "baseSeverityLabel": "info", "search": "index=* sourcetype=someperformance | timechart avg(avg_cpu_load) AS aggregate span=5m "}, "base_search": "index=* sourcetype=someperformance", "aggregate_statop": "avg", "dataModelSpecification": "", "entity_thresholds": {"gaugeMin": 0.0, "renderBoundaryMax": 0.0, "isMaxStatic": false, "baseSeverityColorLight": "#E3F0F6", "metricField": "avg_cpu_load", "baseSeverityColor": "#AED3E5", "gaugeMax": 0.0, "isMinStatic": true, "baseSeverityValue": 1.0, "renderBoundaryMin": 0.0, "thresholdLevels": [{"severityValue": 1.0, "severityLabel": "info", "severityColorLight": "#E3F0F6", "severityColor": "#AED3E5", "thresholdValue": "0"}], "baseSeverityLabel": "info", "search": ""}, "target_field": "avg_cpu_load", "entity_id_fields": "", "entity_breakdown_id_fields": "", "gap_severity_color": "#CCCCCC", "field": "", "threshold_field": "avg_cpu_load", "description": "Get the average CPU load across all indexes for a given sourcetype.  index=* sourcetype=someperformance | stats avg(avg_cpu_load)", "search_type": "adhoc", "urgency": "5", "alert_period": "5", "source": "", "kpi_base_search": " index=* sourcetype=someperformance ", "aggregate_eval": "| eval aggregate_target=case('aggregate'>=100, \"critical~~~#B50101~~~6\", 'aggregate'>=90, \"medium~~~#FCB64E~~~4\", 'aggregate'>=50, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\"", "gap_severity_color_light": "#EEEEEE", "entity_alias_fields": null, "gap_severity": "unknown", "search_buckets": "", "datamodel_object": "", "entity_alias_filtering_fields": null, "alert_on": "aggregate", "cron_schedule": "0-59/5 * * * *", "search_time_compare": " index=* sourcetype=someperformance [ | stats count | addinfo | eval search= \"earliest=\" + tostring(info_min_time-(info_max_time-info_min_time)) + \" latest=\" + tostring(info_max_time) | fields search ]   | addinfo | eval bucket=if(_time<info_max_time-((info_max_time-info_min_time)/2), \"last_window\", \"current_window\") | stats avg(avg_cpu_load) AS avg_cpu_load  BY bucket | reverse | delta avg_cpu_load AS window_delta | search bucket=current_window | eval window_direction=if(window_delta >0, \"increase\", if(window_delta < 0, \"decrease\", \"none\"))  | rename avg_cpu_load AS aggregate", "search_time_series_entities": "", "search": " index=* sourcetype=someperformance  | stats avg(avg_cpu_load) AS avg_cpu_load   | eval aggregate = 'avg_cpu_load'", "title": "Percentage Based Ad Hoc KPI", "search_time_series": "index=* sourcetype=someperformance | timechart avg(avg_cpu_load) AS aggregate"}, {"eventstatop": "avg", "kpi_template_kpi_id": "itsi_percentage_datamodel_kpi", "search_time_series_aggregate": " | tstats avg(All_Performance.CPU.cpu_load_percent) AS cpu_load_percent  FROM datamodel=Performance  WHERE  sourcetype=\"someperformance\"  BY _time | eval entity_title=\"aggregate\" | bucket _time | xyseries _time, entity_title, cpu_load_percent", "search_alert_earliest": "1", "search_occurrences": 1.0, "alert_eval": "| eval aggregate_target=case('aggregate'>=100, \"critical~~~#B50101~~~6\", 'aggregate'>=90, \"medium~~~#FCB64E~~~4\", 'aggregate'>=50, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\" | eval alert_entity=\"aggregate\" | eval alert_value=aggregate | eval alert_target=aggregate_target | eval alert_severity=aggregate_severity | eval alert_color=aggregate_color | eval alert_level=aggregate_level", "gap_severity_value": "-1", "threshold_eval": "| eval threshold_target=case('cpu_load_percent'>=0, \"info~~~#AED3E5~~~1\", isnum('cpu_load_percent'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=threshold_target \"(?<threshold_severity>.*)~~~(?<threshold_color>.*)~~~(?<threshold_level>.*)\"", "search_alert": "  | tstats avg(All_Performance.CPU.cpu_load_percent) AS cpu_load_percent count AS has_data FROM datamodel=Performance  WHERE  sourcetype=\"someperformance\"    | eval aggregate = 'cpu_load_percent' | eval aggregate_target=case('aggregate'>=100, \"critical~~~#B50101~~~6\", 'aggregate'>=90, \"medium~~~#FCB64E~~~4\", 'aggregate'>=50, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\" | eval alert_entity=\"aggregate\" | eval alert_value=aggregate | eval alert_target=aggregate_target | eval alert_severity=aggregate_severity | eval alert_color=aggregate_color | eval alert_level=aggregate_level | stats list(alert_value) AS alert_values first(alert_value) AS alert_value list(alert_entity) AS alert_entities first(alert_entity) AS alert_entity values(alert_color) AS alert_color values(alert_level) AS alert_level count by alert_severity | sort - alert_level | search count>=1 | head 1 | eval service=\"TemplateService\" | eval serviceid=\"552eb12ee13823052f16ec41\" | eval urgency=tonumber(\"5\") | eval kpi=\"Percentage Data Model KPI\" | eval kpiid=\"b783e074bcf8bb4b6ab9efaa\" | eval alert_period=\"5\" | addinfo | eval _time=info_max_time | fields - info* | fields _time *", "_owner": "nobody", "search_entities": "", "unit": "%", "search_aggregate": "  | tstats avg(All_Performance.CPU.cpu_load_percent) AS cpu_load_percent  FROM datamodel=Performance  WHERE  sourcetype=\"someperformance\"    | rename cpu_load_percent AS aggregate", "search_alert_entities": "", "datamodel": {"datamodel": "Performance","object": "CPU","field":"cpu_load_percent","owner_field":"All_Performance.CPU.cpu_load_percent"}, "target": "", "type": "kpis_primary", "aggregate_thresholds": {"gaugeMin": 0.0, "renderBoundaryMax": 100.0, "isMaxStatic": true, "baseSeverityColorLight": "#E3F0F6", "metricField": "cpu_load_percent", "baseSeverityColor": "#AED3E5", "gaugeMax": 100.0, "isMinStatic": true, "baseSeverityValue": 1.0, "renderBoundaryMin": 0.0, "thresholdLevels": [{"severityValue": 2.0, "severityLabel": "normal", "severityColorLight": "#DCEFD7", "severityColor": "#99D18B", "thresholdValue": 50.0}, {"severityValue": 4.0, "severityLabel": "medium", "severityColorLight": "#FEE6C1", "severityColor": "#FCB64E", "thresholdValue": 90.0}, {"severityValue": 6.0, "severityLabel": "critical", "severityColorLight": "#E5A6A6", "severityColor": "#B50101", "thresholdValue": 100.0}], "baseSeverityLabel": "info", "search": " | tstats avg(All_Performance.CPU.cpu_load_percent) AS cpu_load_percent  FROM datamodel=Performance  WHERE  sourcetype=\"someperformance\"  BY _time span=1m  | eval entity_title=\"aggregate\" | bucket _time span=1m  | xyseries _time, entity_title, cpu_load_percent"}, "base_search": "  | tstats avg(All_Performance.CPU.cpu_load_percent) AS cpu_load_percent  FROM datamodel=Performance  WHERE  sourcetype=\"someperformance\"   ", "aggregate_statop": "avg", "entity_thresholds": {"gaugeMin": 0.0, "renderBoundaryMax": 0.0, "isMaxStatic": false, "baseSeverityColorLight": "#E3F0F6", "metricField": "cpu_load_percent", "baseSeverityColor": "#AED3E5", "gaugeMax": 0.0, "isMinStatic": true, "baseSeverityValue": 1.0, "renderBoundaryMin": 0.0, "thresholdLevels": [{"severityValue": 1.0, "severityLabel": "info", "severityColorLight": "#E3F0F6", "severityColor": "#AED3E5", "thresholdValue": "0"}], "baseSeverityLabel": "info", "search": ""}, "target_field": "All_Performance.CPU.cpu_load_percent", "entity_id_fields": "", "entity_breakdown_id_fields": "", "gap_severity_color": "#CCCCCC", "field": "cpu_load_percent", "threshold_field": "cpu_load_percent", "datamodel_filter_clauses": " sourcetype=\"someperformance\"", "description": "Calculate the average CPU load in percentage using a data model.  Filter the results to a specific sourcetype.  \n\nindex=* sourcetype=someperformance | stats avg(cpu_load_percent)", "search_type": "datamodel", "urgency": "5", "alert_period": "5", "source": "", "kpi_base_search": "  | tstats avg(All_Performance.CPU.cpu_load_percent) AS cpu_load_percent  FROM datamodel=Performance  WHERE  sourcetype=\"someperformance\"   ", "aggregate_eval": "| eval aggregate_target=case('aggregate'>=100, \"critical~~~#B50101~~~6\", 'aggregate'>=90, \"medium~~~#FCB64E~~~4\", 'aggregate'>=50, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\"", "gap_severity_color_light": "#EEEEEE", "entity_alias_fields": null, "gap_severity": "unknown", "search_time_series": " | tstats avg(All_Performance.CPU.cpu_load_percent) AS cpu_load_percent  FROM datamodel=Performance  WHERE  sourcetype=\"someperformance\"  BY _time | eval entity_title=\"aggregate\" | bucket _time | xyseries _time, entity_title, cpu_load_percent", "datamodel_object": "All_Performance.CPU", "entity_alias_filtering_fields": null, "alert_on": "aggregate", "cron_schedule": "4-59/5 * * * *", "search_time_compare": "  | tstats avg(All_Performance.CPU.cpu_load_percent) AS cpu_load_percent  FROM datamodel=Performance  WHERE  sourcetype=\"someperformance\"  [ | stats count | addinfo | eval search= \"earliest=\" + tostring(info_min_time-(info_max_time-info_min_time)) + \" latest=\" + tostring(info_max_time) | fields search ]  BY _time  | addinfo | eval bucket=if(_time<info_min_time,\"last_window\", \"current_window\") | stats avg(cpu_load_percent) AS cpu_load_percent  BY bucket | reverse | delta cpu_load_percent AS window_delta | search bucket=current_window | eval window_direction=if(window_delta >0, \"increase\", if(window_delta < 0, \"decrease\", \"none\"))  | rename cpu_load_percent AS aggregate", "datamodel_filter": [{"_value": "someperformance", "_field": "sourcetype", "_operator": "="}], "search_time_series_entities": "", "search": "  | tstats avg(All_Performance.CPU.cpu_load_percent) AS cpu_load_percent  FROM datamodel=Performance  WHERE  sourcetype=\"someperformance\"    | eval aggregate = 'cpu_load_percent'", "title": "Percentage Data Model KPI", "search_buckets": ""}, {"eventstatop": "avg", "search_time_series_aggregate": "sourcetype=systemlog |eval eventstatus = if (error_type=\"info\", 1, if (error_type=\"warn\", 2, if(error_type=\"error\", 3, 0))) | fields eventstatus | timechart avg(eventstatus) AS aggregate", "search_alert_earliest": "5", "search_occurrences": 1.0, "alert_eval": "| eval aggregate_target=case('aggregate'>=3, \"critical~~~#B50101~~~6\", 'aggregate'>=2, \"medium~~~#FCB64E~~~4\", 'aggregate'>=1, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\" | eval alert_entity=\"aggregate\" | eval alert_value=aggregate | eval alert_target=aggregate_target | eval alert_severity=aggregate_severity | eval alert_color=aggregate_color | eval alert_level=aggregate_level", "gap_severity_value": "-1", "threshold_eval": "| eval threshold_target=case('eventstatus'>=0, \"info~~~#AED3E5~~~1\", isnum('eventstatus'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=threshold_target \"(?<threshold_severity>.*)~~~(?<threshold_color>.*)~~~(?<threshold_level>.*)\"", "kpi_template_kpi_id": "itsi_discrete_value_based_kpi", "search_alert": " sourcetype=systemlog |eval eventstatus = if (error_type=\"info\", 1, if (error_type=\"warn\", 2, if(error_type=\"error\", 3, 0))) | fields eventstatus  | stats avg(eventstatus) AS eventstatus count AS has_data  | eval aggregate = 'eventstatus' | eval aggregate_target=case('aggregate'>=3, \"critical~~~#B50101~~~6\", 'aggregate'>=2, \"medium~~~#FCB64E~~~4\", 'aggregate'>=1, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\" | eval alert_entity=\"aggregate\" | eval alert_value=aggregate | eval alert_target=aggregate_target | eval alert_severity=aggregate_severity | eval alert_color=aggregate_color | eval alert_level=aggregate_level | stats list(alert_value) AS alert_values first(alert_value) AS alert_value list(alert_entity) AS alert_entities first(alert_entity) AS alert_entity values(alert_color) AS alert_color values(alert_level) AS alert_level count by alert_severity | sort - alert_level | search count>=1 | head 1 | eval service=\"TemplateService\" | eval serviceid=\"552eb12ee13823052f16ec41\" | eval urgency=tonumber(\"5\") | eval kpi=\"Discrete Value Based KPI\" | eval kpiid=\"ca9dae1a4cc7337c059911f6\" | eval alert_period=\"5\" | addinfo | eval _time=info_max_time | fields - info* | fields _time *", "_owner": "nobody", "search_entities": "", "unit": "", "search_aggregate": " sourcetype=systemlog |eval eventstatus = if (error_type=\"info\", 1, if (error_type=\"warn\", 2, if(error_type=\"error\", 3, 0))) | fields eventstatus  | stats avg(eventstatus) AS eventstatus   | rename eventstatus AS aggregate", "search_alert_entities": "", "target": "", "type": "kpis_primary", "aggregate_thresholds": {"gaugeMin": 0.0, "renderBoundaryMax": 3.0, "isMaxStatic": false, "baseSeverityColorLight": "#E3F0F6", "metricField": "aggregate", "baseSeverityColor": "#AED3E5", "gaugeMax": 3.0, "isMinStatic": true, "baseSeverityValue": 1.0, "renderBoundaryMin": 0.0, "thresholdLevels": [{"severityValue": 2.0, "severityLabel": "normal", "severityColorLight": "#DCEFD7", "severityColor": "#99D18B", "thresholdValue": 1.0}, {"severityValue": 4.0, "severityLabel": "medium", "severityColorLight": "#FEE6C1", "severityColor": "#FCB64E", "thresholdValue": 2.0}, {"severityValue": 6.0, "severityLabel": "critical", "severityColorLight": "#E5A6A6", "severityColor": "#B50101", "thresholdValue": 3.0}], "baseSeverityLabel": "info", "search": ""}, "base_search": "sourcetype=systemlog |eval eventstatus = if (error_type=\"info\", 1, if (error_type=\"warn\", 2, if(error_type=\"error\", 3, 0))) | fields eventstatus", "aggregate_statop": "avg", "dataModelSpecification": "", "entity_thresholds": {"gaugeMin": 0.0, "renderBoundaryMax": 0.0, "isMaxStatic": false, "baseSeverityColorLight": "#E3F0F6", "metricField": "eventstatus", "baseSeverityColor": "#AED3E5", "gaugeMax": 0.0, "isMinStatic": true, "baseSeverityValue": 1.0, "renderBoundaryMin": 0.0, "thresholdLevels": [{"severityValue": 1.0, "severityLabel": "info", "severityColorLight": "#E3F0F6", "severityColor": "#AED3E5", "thresholdValue": 0.0}], "baseSeverityLabel": "info", "search": ""}, "target_field": "eventstatus", "entity_id_fields": "", "entity_breakdown_id_fields": "", "gap_severity_color": "#CCCCCC", "field": "", "threshold_field": "eventstatus", "description": "Find specific error conditions in a specific sourcetype.", "search_type": "adhoc", "urgency": "5", "alert_period": "5", "source": "", "kpi_base_search": " sourcetype=systemlog |eval eventstatus = if (error_type=\"info\", 1, if (error_type=\"warn\", 2, if(error_type=\"error\", 3, 0))) | fields eventstatus ", "aggregate_eval": "| eval aggregate_target=case('aggregate'>=3, \"critical~~~#B50101~~~6\", 'aggregate'>=2, \"medium~~~#FCB64E~~~4\", 'aggregate'>=1, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\"", "gap_severity_color_light": "#EEEEEE", "entity_alias_fields": null, "gap_severity": "unknown", "search_buckets": "", "datamodel_object": "", "entity_alias_filtering_fields": null, "alert_on": "aggregate", "cron_schedule": "0-59/5 * * * *", "search_time_compare": " sourcetype=systemlog [ | stats count | addinfo | eval search= \"earliest=\" + tostring(info_min_time-(info_max_time-info_min_time)) + \" latest=\" + tostring(info_max_time) | fields search ] |eval eventstatus = if (error_type=\"info\", 1, if (error_type=\"warn\", 2, if(error_type=\"error\", 3, 0))) | fields eventstatus  | addinfo | eval bucket=if(_time<info_max_time-((info_max_time-info_min_time)/2), \"last_window\", \"current_window\") | stats avg(eventstatus) AS eventstatus  BY bucket | reverse | delta eventstatus AS window_delta | search bucket=current_window | eval window_direction=if(window_delta >0, \"increase\", if(window_delta < 0, \"decrease\", \"none\"))  | rename eventstatus AS aggregate", "search_time_series_entities": "", "search": " sourcetype=systemlog |eval eventstatus = if (error_type=\"info\", 1, if (error_type=\"warn\", 2, if(error_type=\"error\", 3, 0))) | fields eventstatus  | stats avg(eventstatus) AS eventstatus   | eval aggregate = 'eventstatus'", "title": "Discrete Value Based KPI", "search_time_series": "sourcetype=systemlog |eval eventstatus = if (error_type=\"info\", 1, if (error_type=\"warn\", 2, if(error_type=\"error\", 3, 0))) | fields eventstatus | timechart avg(eventstatus) AS aggregate"}, {"eventstatop": "avg", "search_time_series_aggregate": " | tstats avg(Web.response_time) AS response_time  FROM datamodel=Web  WHERE  sourcetype=\"access_log\" host=\"*buttercupgames.com*\"  BY _time | eval entity_title=\"aggregate\" | bucket _time | xyseries _time, entity_title, response_time", "search_alert_earliest": "1", "search_occurrences": 1.0, "alert_eval": "| eval aggregate_target=case('aggregate'>=1500, \"critical~~~#B50101~~~6\", 'aggregate'>=800, \"medium~~~#FCB64E~~~4\", 'aggregate'>=300, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\" | eval alert_entity=\"aggregate\" | eval alert_value=aggregate | eval alert_target=aggregate_target | eval alert_severity=aggregate_severity | eval alert_color=aggregate_color | eval alert_level=aggregate_level", "gap_severity_value": "-1", "threshold_eval": "| eval threshold_target=case('response_time'>=0, \"info~~~#AED3E5~~~1\", isnum('response_time'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=threshold_target \"(?<threshold_severity>.*)~~~(?<threshold_color>.*)~~~(?<threshold_level>.*)\"", "search_alert": "  | tstats avg(Web.response_time) AS response_time count AS has_data FROM datamodel=Web  WHERE  sourcetype=\"access_log\" host=\"*buttercupgames.com*\"    | eval aggregate = 'response_time' | eval aggregate_target=case('aggregate'>=1500, \"critical~~~#B50101~~~6\", 'aggregate'>=800, \"medium~~~#FCB64E~~~4\", 'aggregate'>=300, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\" | eval alert_entity=\"aggregate\" | eval alert_value=aggregate | eval alert_target=aggregate_target | eval alert_severity=aggregate_severity | eval alert_color=aggregate_color | eval alert_level=aggregate_level | stats list(alert_value) AS alert_values first(alert_value) AS alert_value list(alert_entity) AS alert_entities first(alert_entity) AS alert_entity values(alert_color) AS alert_color values(alert_level) AS alert_level count by alert_severity | sort - alert_level | search count>=1 | head 1 | eval service=\"TemplateService\" | eval serviceid=\"552eb12ee13823052f16ec41\" | eval urgency=tonumber(\"5\") | eval kpi=\"HTTP Response Time KPI\" | eval kpiid=\"d9cbb259cda9370e9ba12e41\" | eval alert_period=\"1\" | addinfo | eval _time=info_max_time | fields - info* | fields _time *", "_owner": "nobody", "search_entities": "", "unit": "ms", "search_aggregate": "  | tstats avg(Web.response_time) AS response_time  FROM datamodel=Web  WHERE  sourcetype=\"access_log\" host=\"*buttercupgames.com*\"    | rename response_time AS aggregate", "search_alert_entities": "", "datamodel": {"datamodel": "Web","object": "Proxy","field":"response_time","owner_field":"Web.response_time"}, "target": "", "type": "kpis_primary", "aggregate_thresholds": {"gaugeMin": 0.0, "renderBoundaryMax": 1650.0, "isMaxStatic": false, "baseSeverityColorLight": "#E3F0F6", "metricField": "response_time", "baseSeverityColor": "#AED3E5", "gaugeMax": 1650.0, "isMinStatic": true, "baseSeverityValue": 1.0, "renderBoundaryMin": 0.0, "thresholdLevels": [{"severityValue": 2.0, "severityLabel": "normal", "severityColorLight": "#DCEFD7", "severityColor": "#99D18B", "thresholdValue": 300.0}, {"severityValue": 4.0, "severityLabel": "medium", "severityColorLight": "#FEE6C1", "severityColor": "#FCB64E", "thresholdValue": 800.0}, {"severityValue": 6.0, "severityLabel": "critical", "severityColorLight": "#E5A6A6", "severityColor": "#B50101", "thresholdValue": 1500.0}], "baseSeverityLabel": "info", "search": ""}, "base_search": "  | tstats avg(Web.response_time) AS response_time  FROM datamodel=Web  WHERE  sourcetype=\"access_log\" host=\"*buttercupgames.com*\"   ", "aggregate_statop": "avg", "entity_thresholds": {"gaugeMin": 0.0, "renderBoundaryMax": 0.0, "isMaxStatic": false, "baseSeverityColorLight": "#E3F0F6", "metricField": "response_time", "baseSeverityColor": "#AED3E5", "gaugeMax": 0.0, "isMinStatic": true, "baseSeverityValue": 1.0, "renderBoundaryMin": 0.0, "thresholdLevels": [{"severityValue": 1.0, "severityLabel": "info", "severityColorLight": "#E3F0F6", "severityColor": "#AED3E5", "thresholdValue": 0.0}], "baseSeverityLabel": "info", "search": ""}, "target_field": "Web.response_time", "entity_id_fields": "", "entity_breakdown_id_fields": "", "gap_severity_color": "#CCCCCC", "field": "response_time", "threshold_field": "response_time", "datamodel_filter_clauses": " sourcetype=\"access_log\" host=\"*buttercupgames.com*\"", "description": "The average response time for a specific host and source type.", "search_type": "datamodel", "urgency": "5", "alert_period": "1", "source": "", "kpi_base_search": "  | tstats avg(Web.response_time) AS response_time  FROM datamodel=Web  WHERE  sourcetype=\"access_log\" host=\"*buttercupgames.com*\"   ", "aggregate_eval": "| eval aggregate_target=case('aggregate'>=1500, \"critical~~~#B50101~~~6\", 'aggregate'>=800, \"medium~~~#FCB64E~~~4\", 'aggregate'>=300, \"normal~~~#99D18B~~~2\", isnum('aggregate'), \"info~~~#AED3E5>~~~1\", 1==1, \"unknown~~~#CCCCCC~~~-1\") | rex field=aggregate_target \"(?<aggregate_severity>.*)~~~(?<aggregate_color>.*)~~~(?<aggregate_level>.*)\"", "gap_severity_color_light": "#EEEEEE", "entity_alias_fields": null, "gap_severity": "unknown", "search_time_series": " | tstats avg(Web.response_time) AS response_time  FROM datamodel=Web  WHERE  sourcetype=\"access_log\" host=\"*buttercupgames.com*\"  BY _time | eval entity_title=\"aggregate\" | bucket _time | xyseries _time, entity_title, response_time", "datamodel_object": "Web", "entity_alias_filtering_fields": null, "alert_on": "aggregate", "cron_schedule": "0-59/1 * * * *", "search_time_compare": "  | tstats avg(Web.response_time) AS response_time  FROM datamodel=Web  WHERE  sourcetype=\"access_log\" host=\"*buttercupgames.com*\"  [ | stats count | addinfo | eval search= \"earliest=\" + tostring(info_min_time-(info_max_time-info_min_time)) + \" latest=\" + tostring(info_max_time) | fields search ]  BY _time  | addinfo | eval bucket=if(_time<info_min_time,\"last_window\", \"current_window\") | stats avg(response_time) AS response_time  BY bucket | reverse | delta response_time AS window_delta | search bucket=current_window | eval window_direction=if(window_delta >0, \"increase\", if(window_delta < 0, \"decrease\", \"none\"))  | rename response_time AS aggregate", "datamodel_filter": [{"_value": "access_log", "_field": "sourcetype", "_operator": "="}, {"_value": "*buttercupgames.com*", "_field": "host", "_operator": "="}], "search_time_series_entities": "", "search": "  | tstats avg(Web.response_time) AS response_time  FROM datamodel=Web  WHERE  sourcetype=\"access_log\" host=\"*buttercupgames.com*\"    | eval aggregate = 'response_time'", "kpi_template_kpi_id": "itsi_http_response_time_kpi", "title": "HTTP Response Time KPI", "search_buckets": ""}]
source_itsi_da=itsi