# Copyright (C) 2005-2025 Splunk Inc. All Rights Reserved.

EXPORT_CSV_MAX_BATCH_SIZE = 5000
EXPORT_CSV_MAX_WORKERS = 10
EXPORT_CSV_MAX_RESULT_COUNT = 50000

# Event Onboarding (EA Data Integration) constants
EA_DATA_INTEGRATION_METHOD_TYPES = ['INDEXED_DATA']
EA_DATA_INTEGRATION_INPUT_TYPE = ['regex', 'composition', 'mapping_rule']
EA_DATA_INTEGRATION_VALID_STATUS = ['active', 'inactive']
# Title prefix for correlation search created for data integration connection
EA_DATA_INTEGRATION_CS_TITLE_PREFIX = 'DATA_INTEGRATION_CS-'
EA_DATA_INT_DEDUP_SEARCH_FOR_RAW_ALERT = ('| eval groupingid=coalesce(groupingid, internal_groupingid) '
                                          '| eval event_identifier_string=groupingid '
                                          '| dedup event_identifier_string sortby -_time -severity_id')
EA_DATA_INT_DEDUP_SEARCH_FOR_NOTABLE_EVENT = ('| join type=left event_identifier_string vendor_severity '
                                              '[| tstats latest(_time) as _time latest(event_identifier_fields) '
                                              'as event_identifier_fields max(severity_id) as severity_id where '
                                              '`itsi_event_management_index` earliest=-59m latest=now by '
                                              'event_identifier_string, vendor_severity '
                                              '| dedup event_identifier_string sortby -_time -severity_id '
                                              '| table _time, event_identifier_string, event_identifier_fields, '
                                              'vendor_severity] | where isnull(event_identifier_fields)')

REF_URL_RETENTION_SEARCH = ('| inputlookup itsi_notable_event_ref_url '
                            '| eval ref_url_key=_key '
                            '| eval ref_url_event_id=event_id '
                            '| eval ref_url_mod_time=mod_time '
                            '| lookup itsi_notable_group_system_lookup _key as ref_url_event_id '
                            '| where is_active=1 OR is_active=0 '
                            '| sort 0 -ref_url_mod_time '
                            '| rename ref_url_key as _key '
                            '| rename ref_url_event_id as event_id '
                            '| rename ref_url_mod_time as mod_time '
                            '| fields _key, event_id, mod_time ')

EXTERNAL_TICKET_RETENTION_SEARCH = ('| inputlookup itsi_notable_event_external_ticket '
                                    '| eval ticket_key = _key '
                                    '| eval ticket_event_id = event_id '
                                    '| eval ticket_mod_time = mod_time '
                                    '| lookup itsi_notable_group_system_lookup _key as ticket_event_id '
                                    '| where is_active=1 OR is_active=0 '
                                    '| sort 0 -ticket_mod_time '
                                    '| rename ticket_key as _key '
                                    '| rename ticket_event_id as event_id '
                                    '| rename ticket_mod_time as mod_time '
                                    '| fields _key, event_id, mod_time ')