[source::service_health_monitor]
FIELDALIAS-kpiid = itsi_kpi_id as kpiid
FIELDALIAS-serviceid = itsi_service_id as serviceid
FIELDALIAS-gs_kpiid = itsi_kpi_id as gs_kpi_id
FIELDALIAS-gs_serviceid = itsi_service_id as gs_service_id
EVAL-alert_color = coalesce(alert_color, color)
EVAL-alert_value = coalesce(alert_value, health_score)
# Handle field extraction for JSON formatted stash events
KV_MODE = auto

[source::service_health_score_backfill]
FIELDALIAS-kpiid = itsi_kpi_id as kpiid
FIELDALIAS-serviceid = itsi_service_id as serviceid
FIELDALIAS-gs_kpiid = itsi_kpi_id as gs_kpi_id
FIELDALIAS-gs_serviceid = itsi_service_id as gs_service_id
EVAL-alert_color = coalesce(alert_color, color)
EVAL-alert_value = coalesce(alert_value, health_score)
# Handle field extraction for JSON formatted stash events
KV_MODE = auto

[source::kpi_backfill]
FIELDALIAS-kpiid = itsi_kpi_id as kpiid
FIELDALIAS-serviceid = itsi_service_id as serviceid
FIELDALIAS-gs_kpiid = itsi_kpi_id as gs_kpi_id
FIELDALIAS-gs_serviceid = itsi_service_id as gs_service_id
EVAL-alert_color = coalesce(alert_color, color)
EVAL-alert_value = coalesce(alert_value, health_score)
# Handle field extraction for JSON formatted stash events
KV_MODE = auto

[source::*splunkd.log]
FIELDALIAS-kpiid = itsi_kpi_id as kpiid
FIELDALIAS-serviceid = itsi_service_id as serviceid
FIELDALIAS-gs_kpiid = itsi_kpi_id as gs_kpi_id
FIELDALIAS-gs_serviceid = itsi_service_id as gs_service_id
EVAL-alert_color = coalesce(alert_color, color)
EVAL-alert_value = coalesce(alert_value, health_score)
# Handle field extraction for JSON formatted stash events
KV_MODE = auto

[source::/opt/splunk/var/log/splunk/search_messages.log]
FIELDALIAS-kpiid = itsi_kpi_id as kpiid
FIELDALIAS-serviceid = itsi_service_id as serviceid
FIELDALIAS-gs_kpiid = itsi_kpi_id as gs_kpi_id
FIELDALIAS-gs_serviceid = itsi_service_id as gs_service_id
EVAL-alert_color = coalesce(alert_color, color)
EVAL-alert_value = coalesce(alert_value, health_score)
# Handle field extraction for JSON formatted stash events
KV_MODE = auto

[source::Indicator*]
FIELDALIAS-kpiid = itsi_kpi_id as kpiid
FIELDALIAS-serviceid = itsi_service_id as serviceid
FIELDALIAS-gs_kpiid = itsi_kpi_id as gs_kpi_id
FIELDALIAS-gs_serviceid = itsi_service_id as gs_service_id
EVAL-alert_color = coalesce(alert_color, color)
EVAL-alert_value = coalesce(alert_value, health_score)
# Handle field extraction for JSON formatted stash events
KV_MODE = auto