#Splunk environment saved searches [IT Service Intelligence - Get splunk indexer entities] description = Get a list of splunk indexers, which can later be used to populate the IT Service Intelligence splunk service search = | rest /services/server/info | fillnull | table splunk_server,serverName,server_roles* | eval role=if($server_roles.search_peer$=="0","","search_peer") | eval role=if($server_roles.search_head$=="0",role,"search_head") | eval role=if($server_roles.indexer$=="0",role,role+";indexer") | makemv delim=";" allowempty=t role | table serverName,role | search role=indexer disabled = 0 request.ui_dispatch_app = itsi [IT Service Intelligence - Get splunk search head entities] description = Get a list of splunk search heads, which can later be used to populate the IT Service Intelligence splunk service search = | rest /services/server/info | fillnull | table splunk_server,serverName,server_roles* | eval role=if($server_roles.search_peer$=="0","","search_peer") | eval role=if($server_roles.search_head$=="0",role,"search_head") | eval role=if($server_roles.indexer$=="0",role,role+";indexer") | makemv delim=";" allowempty=t role | table serverName,role | search role=search_head disabled = 0 request.ui_dispatch_app = itsi [IT Service Intelligence - Get splunk search peer entities] description = Get a list of splunk search peers, which can later be used to populate the IT Service Intelligence splunk service search = | rest /services/server/info | fillnull | table splunk_server,serverName,server_roles* | eval role=if($server_roles.search_peer$=="0","","search_peer") | eval role=if($server_roles.search_head$=="0",role,"search_head") | eval role=if($server_roles.indexer$=="0",role,role+";indexer") | makemv delim=";" allowempty=t role | table serverName,role | search role=search_peer disabled = 0 request.ui_dispatch_app = itsi [IT Service Intelligence - Get splunk forwarder entities] description = Get a list of splunk forwarders, which can later be used to populate the IT Service Intelligence splunk service search = index=_internal source=*metrics.log* group=tcpin_connections | stats values(hostname) as hostname, values(sourceHost) as sourcehost by host | mvexpand hostname | table hostname | dedup hostname disabled = 0 request.ui_dispatch_app = itsi #Netapp app saved searches [IT Service Intelligence - Get Netapp controllers] description = Retrieves a list of Netapp controllers, for use importing into IT Service Intelligence as entities search = source=SystemPerfHandler | table host | dedup host | rename host AS dest request.ui_dispatch_app = itsi [IT Service Intelligence - Get Netapp Vservers] description = Retrieves a list of Netapp Vservers from the Netapp App, for use for importing into IT Service Intelligence as entities search = sourcetype=ontap:system is-clustered=true | dedup host | table host |rename host AS dest request.ui_dispatch_app = itsi [IT Service Intelligence - Get Netapp volumes] description = Retrieves a list of volumes from the Netapp App, for use importing into IT Service Intelligence as entities search = sourcetype=ontap:volume | eval dest = host + ":" + name | dedup dest | table dest request.ui_dispatch_app = itsi [IT Service Intelligence - Get Netapp aggregates] description = Retrieves a list of aggregates from the Netapp App, for use into importing into IT Service Intelligence as entities. search = sourcetype=ontap:aggr | eval dest = host + ":" + name | dedup dest | table dest request.ui_dispatch_app = itsi [IT Service Intelligence - Get Netapp disks] description = Retrieves a list of disks from the Netapp App, for use into importing into IT Service Intelligence as entities. search = sourcetype=ontap:disk | eval dest = host + ":" + name | dedup dest | table dest request.ui_dispatch_app = itsi #*NIX searches [IT Service Intelligence - Linux, Unix, Solaris, and OSX hosts] description = Collect the *nix hosts provided through the TA-nix app for entry into IT Service Intelligence search = | datamodel Performance CPU search | search All_Performance.tag=unix | dedup All_Performance.dest | table All_Performance.dest | rename All_Performance.dest AS dest request.ui_dispatch_app = itsi #VMware saved searches [IT Service Intelligence - Get VMware Datacenters] description = Get the VMWware Datacenters and format them in a way that is appropriate for IT Service Intelligence search = sourcetype=vmware:inv:hierarchy type=ClusterComputeResource | spath changeSet.runtime.host.moid output=vmhost | spath moid output=moid | spath type output=type | spath changeSet.name output=name | search (type!="Datastore" type!="VirtualApp" type!="ResourcePool" type!="Folder" type!="ComputeResource") OR (name!="host" type="Folder" name!="vm" name!="datastore" name!="network" name!="Local Storage" name!="Discovered virtual machine") | spath changeSet.parent.moid output=parent | spath changeSet.parent.type output=parentType | spath rootFolder.moid output=rootFolderMoid | eval parent=if(type="VirtualMachine", vmhost, parent) | eval parentType=if(type="VirtualMachine", "HostSystem", if(parent=rootFolderMoid, "RootFolder", parentType)) | stats first(_time) as _time first(name) as name first(type) as type first(parent) as parent first(parentType) as parentType first(rootFolderMoid) as rootFolderMoid by host, moid | table host moid name type rootFolderMoid request.ui_dispatch_app = itsi [IT Service Intelligence - Get VMware HostSystems] description = Get the VMWware ESX\ESXi host systems and format them in a way that is appropriate for IT Service Intelligence search = sourcetype=vmware:inv:hierarchy type=HostSystem | spath changeSet.runtime.host.moid output=vmhost | spath moid output=moid | spath type output=type | spath changeSet.name output=name | search (type!="Datastore" type!="VirtualApp" type!="ResourcePool" type!="Folder" type!="ComputeResource") OR (name!="host" type="Folder" name!="vm" name!="datastore" name!="network" name!="Local Storage" name!="Discovered virtual machine") | spath changeSet.parent.moid output=parent | spath changeSet.parent.type output=parentType | spath rootFolder.moid output=rootFolderMoid | eval parent=if(type="VirtualMachine", vmhost, parent) | eval parentType=if(type="VirtualMachine", "HostSystem", if(parent=rootFolderMoid, "RootFolder", parentType)) | stats first(_time) as _time first(name) as name first(type) as type first(parent) as parent first(parentType) as parentType first(rootFolderMoid) as rootFolderMoid by host, moid | table host moid name type rootFolderMoid request.ui_dispatch_app = itsi [IT Service Intelligence - Get VMware Virtual Machines] description = Get the VMWware Virtual Machines and format them in a way that is appropriate for IT Service Intelligence search = sourcetype=vmware:inv:hierarchy type=VirtualMachine | spath changeSet.runtime.host.moid output=vmhost | spath moid output=moid | spath type output=type | spath changeSet.name output=name | search (type!="Datastore" type!="VirtualApp" type!="ResourcePool" type!="Folder" type!="ComputeResource") OR (name!="host" type="Folder" name!="vm" name!="datastore" name!="network" name!="Local Storage" name!="Discovered virtual machine") | spath changeSet.parent.moid output=parent | spath changeSet.parent.type output=parentType | spath rootFolder.moid output=rootFolderMoid | eval parent=if(type="VirtualMachine", vmhost, parent) | eval parentType=if(type="VirtualMachine", "HostSystem", if(parent=rootFolderMoid, "RootFolder", parentType)) | stats first(_time) as _time first(name) as name first(type) as type first(parent) as parent first(parentType) as parentType first(rootFolderMoid) as rootFolderMoid by host, moid | table host moid name type rootFolderMoid request.ui_dispatch_app = itsi #Windows app saved searches [IT Service Intelligence - Get Windows hosts] description = Retrieves a list of hosts generating Windows host data search = | datamodel Compute_Inventory OS search | search All_Inventory.tag=windows | dedup All_Inventory.dest | rename All_Inventory.dest AS dest | table dest request.ui_dispatch_app = itsi #CIM network discovery saved searches [IT Service Intelligence - Get IP addresses] description = Get a list of all known IP addresses from the CIM Inventory and Network Traffic data models search = | tstats count FROM datamodel=Network_Traffic by All_Traffic.src_ip, All_Traffic.dest_ip | rename All_Traffic.src_ip AS src_ip, All_Traffic.dest_ip AS dest_ip | dedup src_ip dest_ip | eval all_ips = src_ip + ";" + dest_ip | makemv delim=";" all_ips | mvexpand all_ips | table all_ips | append [|tstats count FROM datamodel=Compute_Inventory by Network.ip | rename Network.ip AS all_ips | dedup all_ips | table all_ips] | dedup all_ips [IT Service Intelligence - Get IP addresses by MAC address] description = Get a list of all known MAC addresses and their associated IP addresses in a multivalue field search = | tstats count FROM datamodel=Network_Traffic by All_Traffic.src_ip, All_Traffic.src_mac |rename All_Traffic.src_ip AS ip | rename All_Traffic.src_mac AS mac | table ip, mac | append [| tstats count FROM datamodel=Network_Traffic by All_Traffic.dest_ip, All_Traffic.dest_mac |rename All_Traffic.dest_ip AS ip, All_Traffic.dest_mac AS mac | table ip, mac ] | append [| tstats count FROM datamodel=Compute_Inventory by Network.ip, Network.mac | rename Network.ip AS ip, Network.mac AS mac | table ip, mac ] | mvcombine delim=";" ip | dedup mac #TA-nix [IT Service Intelligence - Linux and Unix hosts] description = Collect the unix and linux hosts provided through the TA-nix app for entry into ITSI search = sourcetype=Linux:* OR sourcetype=Unix:* | dedup host | table host [IT Service Intelligence - Solaris hosts] description = Collect the solaris hosts provided through the TA-nix app for entry into ITSI search = sourcetype=Solaris:* | dedup host | table host [IT Service Intelligence - OS X hosts] description = Collect the OS X hosts provided through the TA-nix app for entry into ITSI search = sourcetype=OSX:* | dedup host | table host ###### Lookup Generating Searches ###### [IT Service Intelligence - User Realnames - Lookup Gen] cron_schedule = */10 * * * * disabled = False dispatch.earliest_time = -4h dispatch.latest_time = +0s enableSched = 1 is_visible = false run_on_startup = true search = | rest splunk_server=local count=0 /services/authentication/users | rename title as user | eval _key=user | eval realname=if(isnull(realname) or realname="", null(), realname) | table _key user realname | outputlookup itsi_user_realnames_lookup | stats count ### Search to group events ### [itsi_event_grouping] cron_schedule = * * * * * disabled = 1 dispatch.earliest_time = rt dispatch.indexedRealtime = 1 dispatch.latest_time = rt enableSched = 1 search = `itsi_event_management_index_with_close_events` | fields _time, _raw, source, sourcetype, host | itsirulesengine | where 1=2 ### Search to find duplicated alias in entity ### [itsi_find_dup_alias] cron_schedule = 0 0 * * * disabled = 0 dispatch.earliest_time = -4h dispatch.latest_time = +0s enableSched = 1 is_visible = false search = |inputlookup itsi_entities | eval itsi_identifier_lookups = _itsi_identifier_lookups | mvexpand "itsi_identifier_lookups" | eval key=_key | stats count values(itsi_identifier_lookups) values(title) values(services._key) values(key) by itsi_identifier_lookups | where count > 1| itsicheckfordupalias [itsi_check_kvstore_size] cron_schedule = 0 0 * * * disabled = 0 dispatch.earliest_time = -4h dispatch.latest_time = +0s enableSched = 1 is_visible = false search = | rest splunk_server=local /services/server/introspection/kvstore/collectionstats \ | mvexpand data \ | spath input=data \ | rex field=ns "(?.*)\.(?.*)" \ | eval dbsize=size/1024/1024 \ | eval indexsize=totalIndexSize/1024/1024 \ | stats first(count) AS "Number of Objects" first(nindexes) AS Accelerations first(indexsize) AS \ "Acceleration Size (MB)" first(dbsize) AS "Collection Size (MB)" by App,Collection \ | search Collection = "itsi_services" \ | appendcols [ \ | rest splunk_server=local /servicesNS/nobody/SA-ITOA/properties/limits/kvstore/max_size_per_result_mb \ | rename value as max_size_per_result_mb] \ | appendcols [ \ | rest splunk_server=local /servicesNS/nobody/SA-ITOA/properties/limits/kvstore/max_size_per_batch_result_mb \ | rename value as max_size_per_batch_result_mb] \ | eval "KVStore Limit Max Size (MB)"=min(max_size_per_result_mb, max_size_per_batch_result_mb) \ | itsicheckforkvstoresize [itsi_tracked_alerts_fields] cron_schedule = 0 2 * * * disabled = 0 dispatch.ttl = 1p dispatch.earliest_time = -24h dispatch.latest_time = now enableSched = 1 is_visible = false search = `itsi_event_management_index_fields` [service_level_telemetry] disabled = 0 is_visible = false enableSched = 0 search = | inputlookup service_telemetry_lookup | eval zipped = mvzip('kpis.title', 'kpis.search_type' , "==@@==") | fields - kpis._key, kpis.base_search, kpis.title, kpis.search_type | mvexpand zipped | eval x = split(zipped, "==@@==") | eval kpi_title = mvindex(x, 0) | eval search_type = mvindex(x, 1) | fields - x, zipped | stats count(eval(kpi_title!="ServiceHealthScore")) as total_kpis count(eval(kpi_title!="ServiceHealthScore" and search_type=="adhoc")) as adhoc_count count(eval(search_type=="shared_base")) as sbs_count count(eval(search_type=="datamodel")) as dm_count count(eval(search_type=="metric")) as metric_count values(base_service_template_id) as base_template_id dc(services_depends_on.serviceid) as depend_service values(sec_grp) as sec_grp by title | rex field=title mode=sed "s/([\s\S]*)/xxxxxx/g" [itsi_content_packs_status_update] cron_schedule = 30 * * * * description = Checks and updates which ITSI content packs are installed disabled = 0 enableSched = 1 is_visible = false search = | itsicontentpackstatus [custom_threshold_windows_telemetry] disabled = 0 is_visible = false enableSched = 0 search = | inputlookup custom_threshold_window_telemetry_lookup\ | rename linked_services.linked_kpi_ids as linked_kpis\ | eval cron_schedule = if(isnull(cron_schedule) OR cron_schedule="", 0, cron_schedule)\ | eval linked_kpis_count = mvcount(linked_kpis)\ | fillnull\ | eval zipped = mvzip(mvzip(mvzip('cron_schedule', 'duration', "==@@=="), 'recurrence', "==@@=="), 'linked_kpis_count', "==@@==")\ | fields zipped\ | mvexpand zipped\ | eval x = split(zipped, "==@@==")\ | eval cron_schedule = mvindex(x, 0)\ | eval duration = mvindex(x, 1)\ | eval recurrence = mvindex(x, 2)\ | eval linked_kpis_count = mvindex(x, 3)\ | fields - x, zipped\ | eval cron_schedule = if(cron_schedule == "0", "non-recur", cron_schedule)