################################ # Health score computation ################################ [service_health_monitor] action.summary_index = 1 action.summary_index._name = itsi_summary auto_summarize.dispatch.earliest_time = -45m cron_schedule = 0-59/1 * * * * description = Summarizes the health of all services. dispatch.earliest_time = -45m enableSched = 1 search = `get_itsi_summary_index` `service_level_max_severity_event_only` | stats latest(urgency) AS urgency latest(alert_level) AS alert_level latest(alert_severity) as alert_name latest(service) AS service latest(is_service_in_maintenance) AS is_service_in_maintenance latest(kpi) AS kpi by kpiid, serviceid | gethealth | `gettime` # Metric version of service_health_monitor search. Searches and aggregates against results in metrics index # NOTE: Cannot use "action.summary_index" to pipe results into itsi_summary_metrics until minimum version of Splunk # compatibility is 8.x. Instead, use a custom alert_action that wraps the main mcollect macro [service_health_metrics_monitor] action.itsi_summary_metrics_collect = 1 cron_schedule = * * * * * description = Summarizes the health of all services. dispatch.earliest_time = -45m enableSched = 1 search = | mstats latest(alert_level) AS alert_level WHERE `get_itsi_summary_metrics_index` AND \ `service_level_max_severity_metric_only` by itsi_kpi_id, itsi_service_id\ | lookup kpi_alert_info_lookup alert_level OUTPUT severity_label AS alert_name | `mark_services_in_maintenance`\ | `join_kpi_info(itsi_kpi_id)` | `reorganize_metrics_healthscore_results` | gethealth | `get_info_time_without_sid`\ | lookup service_kpi_lookup _key AS itsi_service_id OUTPUT sec_grp AS itsi_team_id\ | fields - alert_severity, color, kpi, kpiid, serviceid, severity_label, severity_value\ | rename health_score AS service_health_score | eval is_null_alert_value=if(service_health_score="N/A", 1, 0), \ service_health_score=if(service_health_score="N/A", 0, service_health_score) [Monitor Critical Services Based on Health Score] action.email.format = pdf action.itsi_event_generator = 1 action.itsi_event_generator.param.description = %service_name% is currently in %severity_label% with a value of %severity_value% at %actual_time% action.itsi_event_generator.param.drilldown_search_earliest_offset = -300 action.itsi_event_generator.param.drilldown_search_latest_offset = 300 action.itsi_event_generator.param.drilldown_search_search = `service_health_data` %itsi_service_id% action.itsi_event_generator.param.drilldown_search_title = %service_name% health action.itsi_event_generator.param.drilldown_title = Drilldown to %service_name% health score action.itsi_event_generator.param.drilldown_uri = /app/itsi/service_detail?serviceId=%itsi_service_id%&earliest=rt-24h&latest=rtnow&kpiId=%kpiid% action.itsi_event_generator.param.editor = advance_correlation_builder_editor action.itsi_event_generator.param.meta_data = {} action.itsi_event_generator.param.owner = unassigned action.itsi_event_generator.param.search_type = basic action.itsi_event_generator.param.severity = 4 action.itsi_event_generator.param.status = 0 action.itsi_event_generator.param.title = %service_name% is in %severity_label% - %severity_value% action.keyindicator.invert = 0 action.makestreams.param.verbose = 0 alert.suppress = 0 alert.track = 0 counttype = number of events cron_schedule = */1 * * * * description = Monitor Critical service in the environment. disabled = 1 dispatch.earliest_time = -1m dispatch.latest_time = now enableSched = 1 quantity = 0 relation = greater than search = `service_health_data` alert_level=6 | rename serviceid as itsi_service_id | rename kpiid as itsi_kpi_id | rename kpi as kpi_name| lookup service_kpi_lookup _key as itsi_service_id OUTPUT title | rename title as service_name | eval actual_time=_time | convert ctime(actual_time) as actual_time ################################################################################################################################## # Disabled Kpis health score generation. The search populates the summary index with 'disabled' state values for all disabled kpis. ################################################################################################################################## [disabled_kpis_healthscore_generator] action.summary_index = 1 action.summary_index._name = itsi_summary auto_summarize.dispatch.earliest_time = -1m cron_schedule = */1 * * * * description = Generates Disabled state values for all disabled KPIs. dispatch.earliest_time = -1m enableSched = 1 search = | inputlookup disabled_service_kpi_lookup | rename _key as serviceid title as service_name | eval kpi_info_tmp = mvzip('kpis._key', 'kpis.title', "==@@=="), kpi_info = mvzip(kpi_info_tmp, 'kpis.urgency', "==@@==") | fields kpi_info service_name serviceid enabled | mvexpand kpi_info | rex field=kpi_info "(?.+)==@@==(?.+)==@@==(?.+)" | fields - kpi_info | where kpi_name!="ServiceHealthScore" | eval search_name="Indicator-Disabled_kpis- ITSI search",entity_key="service_aggregate", entity_title="service_aggregate",is_service_aggregate=1,is_service_max_severity_event="1,0",alert_value="N/A", alert_level=-3, alert_severity="disabled", alert_period=5, alert_color="#CCCCCC", urgency=kpi_urgency, gs_kpi_id=kpiid, gs_service_id=serviceid, itsi_kpi_id=kpiid, indexed_itsi_kpi_id=kpiid, indexed_itsi_service_id=serviceid, is_entity_defined=0, itsi_service_id=serviceid, kpi=kpi_name, color=alert_color, indexed_is_service_aggregate=is_service_aggregate | makemv is_service_max_severity_event delim="," | mvexpand is_service_max_severity_event | Convert num(is_service_max_severity_event) | eval indexed_is_service_max_severity_event=is_service_max_severity_event [disabled_kpis_healthscore_generator_metrics] action.itsi_summary_metrics_collect = 1 cron_schedule = */1 * * * * description = Generates Disabled state values for all disabled KPIs into the metrics summary index. dispatch.earliest_time = -1m enableSched = 1 search = | inputlookup disabled_service_kpi_lookup | rename _key as itsi_service_id, sec_grp AS itsi_team_id \ | eval kpi_info_tmp = mvzip('kpis._key', 'kpis.title', "==@@=="), \ kpi_info = mvzip(kpi_info_tmp, 'kpis.urgency', "==@@==") | fields kpi_info, itsi_service_id, itsi_team_id \ | mvexpand kpi_info | rex field=kpi_info "(?.+)==@@==(?.+)==@@==(?.+)" \ | where kpi_name!="ServiceHealthScore" \ | eval search_name="Indicator-Disabled_kpis- ITSI search", entity_key="service_aggregate", is_service_aggregate=1, \ is_service_max_severity_event="1,0", is_service_disabled=1, alert_value=0, alert_level=-3, alert_period=5, \ is_entity_defined=0, is_null_alert_value=1, kpi=kpi_name | fields - kpi_info, kpi_name \ | makemv is_service_max_severity_event delim="," \ | mvexpand is_service_max_severity_event | convert num(is_service_max_severity_event) ####################################################### # Splunk App for Infrastructure Alerts Integration ####################################################### [Splunk App for Infrastructure Alerts] action.email.format = pdf action.itsi_event_generator = 1 action.itsi_event_generator.param.description = %itsiNotableTitle% %metric_name% alert imported from Splunk App for Infrastructure action.itsi_event_generator.param.drilldown_search_earliest_offset = -480 action.itsi_event_generator.param.drilldown_search_latest_offset = 480 action.itsi_event_generator.param.drilldown_search_search = %itsiDrilldownSearch% action.itsi_event_generator.param.drilldown_search_title = %itsiNotableTitle% Search action.itsi_event_generator.param.drilldown_title = %itsiNotableTitle% Analysis in Splunk App for Infrastructure action.itsi_event_generator.param.drilldown_uri = %itsiDrilldownURI% action.itsi_event_generator.param.editor = advance_correlation_builder_editor action.itsi_event_generator.param.meta_data = {} action.itsi_event_generator.param.owner = unassigned action.itsi_event_generator.param.search_type = basic action.itsi_event_generator.param.severity = %itsiSeverity% action.itsi_event_generator.param.status = 1 action.itsi_event_generator.param.entity_lookup_field = itsiInstance action.itsi_event_generator.param.title = %itsiNotableTitle% %metric_name% %state_change%d action.keyindicator.invert = 0 action.makestreams.param.verbose = 0 alert.suppress = 0 alert.track = 0 counttype = number of events cron_schedule = */1 * * * * description = Import alerts from Splunk App for Infrastructure. disabled = 0 dispatch.earliest_time = -8m dispatch.latest_time = now enableSched = 1 quantity = 0 relation = greater than search = index=infra_alerts AND current_state!=None | rex "entity_id=\"(?.*?)\"," | eval urlencoded_entity_id=entity_id | rex field=urlencoded_entity_id mode=sed "s:=:\\%3D:g" | eval itsiAlert=search_name | eval itsiInstance=entity_title | eval itsiSubInstance=if(isnull(itsiSubInstance), "-", itsiSubInstance) | eval itsiRawStatus=current_state | eval itsiSeverity=case(current_state = "1", 2, current_state="3", 4, current_state = "5", 6, 1=1, 1) | eval itsiDetails = state_change + ": " + identifier_dimensions + " " + metric_name + " current value is " + current_value | eval itsiDrilldownURI=if(isnull(entity_title), "/app/splunk_app_infrastructure/metrics_analysis?" + managed_by_type + "=" + managed_by_id + "&alert_name=" + ss_id + "&aggregation_type=" + aggregation_method + "&tab=ANALYSIS","/app/splunk_app_infrastructure/metrics_analysis?entity=" + urlencoded_entity_id + "&tab=ANALYSIS") | eval itsiDrilldownSearch=if(isnull(entity_title), "index=infra_alerts current_state!=None managed_by_id=" + managed_by_id, "index=infra_alerts current_state!=None search entity_id=" + urlencoded_entity_id) | eval itsiNotableTitle=if(isnull(entity_title), ss_id, entity_title) | eval sec_grp=default_itsi_security_group | `filter_maintenance_entities` ############################################################## # ITSI Normalized Correlation Search for Normalized Fields ############################################################## [Normalized Correlation Search] action.email.format = pdf action.itsi_event_generator = 1 action.itsi_event_generator.param.description = %itsiDetails% action.itsi_event_generator.param.drilldown_search_earliest_offset = -300 action.itsi_event_generator.param.drilldown_search_latest_offset = 300 action.itsi_event_generator.param.drilldown_search_search = itsiInstance="%itsiInstance%" itsiAlert="%itsiAlert%" action.itsi_event_generator.param.drilldown_search_title = Show Alerts action.itsi_event_generator.param.editor = advance_correlation_builder_editor action.itsi_event_generator.param.meta_data = {} action.itsi_event_generator.param.owner = unassigned action.itsi_event_generator.param.search_type = basic action.itsi_event_generator.param.severity = %itsiSeverity% action.itsi_event_generator.param.status = 1 action.itsi_event_generator.param.entity_lookup_field = tmp_entity action.itsi_event_generator.param.title = %itsiAlert% - %itsiInstance% (%itsiSubInstance%) is %itsiRawStatus% action.keyindicator.invert = 0 action.makestreams.param.verbose = 0 alert.suppress = 0 alert.track = 0 counttype = number of events cron_schedule = */1 * * * * description = Correlation search on ITSI normalized fields disabled = 1 dispatch.earliest_time = -1m dispatch.latest_time = now enableSched = 1 quantity = 0 relation = greater than search = itsiInstance=* itsiAlert=* itsiSeverity=* | eval itsiSubInstance=if(isnull(itsiSubInstance), "-", itsiSubInstance) | eval itsiDetails = if(isnull(itsiDetails), "no details", itsiDetails) | eval itsiRawStatus = if(isnull(itsiRawStatus), "unknown", itsiRawStatus) | sort itsiInstance itsiSubInstance itsiAlert -_time itsiSeverity | dedup consecutive=true itsiInstance itsiSubInstance itsiAlert itsiSeverity | eval tmp_entity=itsiInstance | `apply_entity_lookup(tmp_entity)` [SNMP Traps] action.email.format = pdf action.email.includeEntities = 0 action.itsi_event_generator = 1 action.itsi_event_generator.param.description = %node%:%Description% action.itsi_event_generator.param.drilldown_search_earliest_offset = -300 action.itsi_event_generator.param.drilldown_search_latest_offset = 300 action.itsi_event_generator.param.drilldown_search_search = index=snmptrapd action.itsi_event_generator.param.drilldown_search_title = Node details action.itsi_event_generator.param.editor = advance_correlation_builder_editor action.itsi_event_generator.param.meta_data = {} action.itsi_event_generator.param.owner = unassigned action.itsi_event_generator.param.search_type = basic action.itsi_event_generator.param.severity = 1 action.itsi_event_generator.param.status = 1 action.itsi_event_generator.param.title = %node%:%Description% alert.suppress = 0 alert.track = 0 disabled = 1 counttype = number of events cron_schedule = */1 * * * * dispatch.earliest_time = -1m dispatch.latest_time = @m enableSched = 1 quantity = 0 relation = greater than search = index=snmptrapd ############################################################### # ITSI Bidirectional Ticketing Correlation Search ############################################################### [Bidirectional Ticketing] action.email.format = pdf action.email.includeEntities = 0 action.itsi_event_generator = 1 action.itsi_event_generator.param.drilldown_search_earliest_offset = -300 action.itsi_event_generator.param.drilldown_search_latest_offset = 300 action.itsi_event_generator.param.editor = advance_correlation_builder_editor action.itsi_event_generator.param.meta_data = {} action.itsi_event_generator.param.owner = unassigned action.itsi_event_generator.param.search_type = basic action.itsi_event_generator.param.severity = 1 action.itsi_event_generator.param.status = 1 action.itsi_event_generator.param.title = Ticket Event alert.suppress = 0 alert.track = 0 disabled = 1 counttype = number of events cron_schedule = */1 * * * * dispatch.earliest_time = -30m dispatch.latest_time = now enableSched = 1 quantity = 0 relation = greater than search = | `itsi_bidirectional_ticketing(main,90,itsi_tracked_alerts)` ############################################################### # BMC Remedy Bidirectional Ticketing Correlation Search ############################################################### [BMC Remedy Bidirectional Ticketing] action.email.format = pdf action.email.includeEntities = 0 action.itsi_event_generator = 1 action.itsi_event_generator.param.drilldown_search_earliest_offset = -300 action.itsi_event_generator.param.drilldown_search_latest_offset = 300 action.itsi_event_generator.param.editor = advance_correlation_builder_editor action.itsi_event_generator.param.meta_data = {} action.itsi_event_generator.param.owner = unassigned action.itsi_event_generator.param.search_type = basic action.itsi_event_generator.param.severity = 1 action.itsi_event_generator.param.status = 1 action.itsi_event_generator.param.title = Ticket Event alert.suppress = 0 alert.track = 0 disabled = 1 counttype = number of events cron_schedule = */1 * * * * dispatch.earliest_time = -30m dispatch.latest_time = now enableSched = 1 quantity = 0 relation = greater than search = | `itsi_bmc_bidirectional_ticketing(main,90,itsi_tracked_alerts)` ############################################################### # ITSI Jira Bidirectional Ticketing Correlation Search ############################################################### [Jira Bidirectional Ticketing] action.email.format = pdf action.email.includeEntities = 0 action.itsi_event_generator = 1 action.itsi_event_generator.param.drilldown_search_earliest_offset = -300 action.itsi_event_generator.param.drilldown_search_latest_offset = 300 action.itsi_event_generator.param.editor = advance_correlation_builder_editor action.itsi_event_generator.param.meta_data = {} action.itsi_event_generator.param.owner = unassigned action.itsi_event_generator.param.search_type = basic action.itsi_event_generator.param.severity = 1 action.itsi_event_generator.param.status = 1 action.itsi_event_generator.param.title = Ticket Event alert.suppress = 0 alert.track = 0 disabled = 1 counttype = number of events cron_schedule = */1 * * * * dispatch.earliest_time = -30m dispatch.latest_time = now enableSched = 1 quantity = 0 relation = greater than search = | `itsi_jira_bidirectional_ticketing(main,90,itsi_tracked_alerts)` ####################### # Drift Detection ####################### [itsi_kpi_drift_detection] disabled = 0 cron_schedule = 0 2 * * 6 dispatch.earliest_time = -1d dispatch.latest_time = now enableSched = 1 search = | batchdetectdrift ############################################################### # ITSI High Scale EA backfill Correlation Search ############################################################### [High Scale EA Backfill] action.itsi_event_generator = 1 action.itsi_event_generator.param.title = %source% action.itsi_event_generator.param.search_type = basic disabled = 1 cron_schedule = */1 * * * * dispatch.earliest_time = -30m dispatch.latest_time = now enableSched = 1 search = `high_scale_ea_backfill(60)` ####################################################### # ITSI Telemetry ####################################################### # This search gives the count of knowledge objects: # From itoa_interface # - teams including Global team # - entities # - services # - total count # - count of services linked to a service template # - count of services not in the global team # - count of services dependencies # - KPIs # - KPIs total count # - KPIs using ad-hoc searches count # - KPIs using shared base searches count # - KPIs using data model count # - KPIs using metrics count # - KPIs calculation window usage # - calculation window 1 minute (count of KPIs) # - calculation window 5 minutes (count of KPIs) # - calculation window 15 minutes (count of KPIs) # - service templates # - KPI base searches including the pre-package KPI base searches from the ITSI modules # - deep dives (total count, count of private, count of shared in app) # - glass tables (total count, count of private, count of shared in app) # - home views (service analyzer) including the default Service Analyzer (total count, count of private, count of shared in app) # - KPI templates # - KPI threshold templates including the pre-package KPI threshold templates from the ITSI modules # - event management states (total count, count of private, count of shared in app) # - entity types # - entity management policies # - entity management rules # - content packs # - custom threshold windows # - authored content packs # From event_management_interface # - correlation searches # - notable event aggregation policy including the default NEAP # From maintenance_services_interface # - maintenance windows [Audit - Knowledge Objects Counts] action.email.sendresults = 0 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.knowledgeObjectsCounts action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate alert.track = false counttype = number of events relation = greater than quantity = 0 cron_schedule = 0 0 * * * description = Sends anonymous usage statistics about number of knowledge objects. disabled = 0 dispatch.latest_time = +0s enableSched = 1 is_visible = false request.ui_dispatch_app = ITSI schedule_window = auto search = | rest /servicesNS/nobody/-/itoa_interface/service/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.services.totalCount\ | append [ | rest /servicesNS/nobody/-/itoa_interface/entity/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.entities.totalCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/entity_type/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.entityTypes.totalCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/entity_management_policies/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.entityManagementPolicies.totalCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/entity_management_rules/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.entityManagementRules.totalCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/custom_threshold_windows/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.customThresholdWindows.totalCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/team/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.teams.totalCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/base_service_template/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.serviceTemplates.totalCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/kpi_base_search/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.kpiBaseSearches.totalCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/deep_dive/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.deepDives.totalCount]\ | append[ | rest /servicesNS/nobody/-/itoa_interface/deep_dive report_as=text fields="acl.sharing,_key"\ | spath input=value | rename {}.acl.sharing as sharing | rename {}._key as key | mvexpand sharing\ | stats count(eval(sharing = "app")) as data.knowledgeObjects.deepDives.publicCount,\ count(eval(sharing = "user")) as data.knowledgeObjects.deepDives.privateCount]\ | append [| rest /servicesNS/nobody/-/itoa_interface/content_pack/status | spath input=value output=event "{}"\ | mvexpand event| spath input=event output=key "_key"\ | table key | eval key=if(match(key, "DA-ITSI-CP-CUST-*"), "DA-ITSI-CP-CUST-".sha256(key), key) \ | eval data.knowledgeObjects.contentPacks.{key}=1 | where 'key'!=""\ | appendpipe [ | stats count as data.knowledgeObjects.contentPacks.totalCount] | fields - key]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/glass_table/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.glassTables.totalCount]\ | append[ | rest /servicesNS/nobody/-/itoa_interface/glass_table report_as=text fields="acl.sharing,_key"\ | spath input=value | rename {}.acl.sharing as sharing | rename {}._key as key | mvexpand sharing\ | stats count(eval(sharing = "app")) as data.knowledgeObjects.glassTables.publicCount,\ count(eval(sharing = "user")) as data.knowledgeObjects.glassTables.privateCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/home_view/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.homeViews.totalCount]\ | append[ | rest /servicesNS/nobody/-/itoa_interface/home_view report_as=text fields="acl.sharing,_key"\ | spath input=value | rename {}.acl.sharing as sharing | rename {}._key as key | mvexpand sharing\ | stats count(eval(sharing = "app")) as data.knowledgeObjects.homeViews.publicCount,\ count(eval(sharing = "user")) as data.knowledgeObjects.homeViews.privateCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/kpi_template/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.kpiTemplates.totalCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/kpi_threshold_template/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.kpiThresholdTemplates.totalCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/event_management_state/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.eventManagementStates.totalCount]\ | append[ | rest /servicesNS/nobody/-/itoa_interface/event_management_state report_as=text fields="acl.sharing,_key"\ | spath input=value | rename {}.acl.sharing as sharing | rename {}._key as key | mvexpand sharing\ | stats count(eval(sharing = "app")) as data.knowledgeObjects.eventManagementStates.publicCount,\ count(eval(sharing = "user")) as data.knowledgeObjects.eventManagementStates.privateCount]\ | append [ | rest /servicesNS/nobody/-/event_management_interface/correlation_search/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.correlationSearches.totalCount]\ | append [ | rest /servicesNS/nobody/-/event_management_interface/notable_event_aggregation_policy/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.notableEventAggregationPolicies.totalCount]\ | append [ | rest /servicesNS/nobody/-/maintenance_services_interface/maintenance_calendar/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.maintenanceWindows.totalCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/content_pack_authorship/content_pack/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.authoredContentPacks.totalCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/sandbox_service/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.sandboxServices.totalCount]\ | append [ | rest /servicesNS/nobody/-/itoa_interface/sandbox/count report_as=text\ | spath input=value | table count | rename count as data.knowledgeObjects.sandboxes.totalCount]\ | append [ | savedsearch service_level_telemetry\ | eval sltp = if(base_template_id = "", 0, 1)\ | eval snig = if(sec_grp = "default_itsi_security_group", 0, 1) | addcoltotals | tail 1\ | table total_kpis, adhoc_count, sbs_count, dm_count, metric_count, depend_service, sltp, snig\ | rename sltp as data.knowledgeObjects.services.servicesLinkedToATemplate\ | rename snig as data.knowledgeObjects.services.servicesNotInGlobal\ | rename total_kpis as data.knowledgeObjects.services.kpis.totalCount\ | rename dm_count as data.knowledgeObjects.services.kpis.dataModelCount\ | rename sbs_count as data.knowledgeObjects.services.kpis.sharedBaseSearchCount\ | rename adhoc_count as data.knowledgeObjects.services.kpis.adhocCount\ | rename metric_count as data.knowledgeObjects.services.kpis.metricsCount\ | rename depend_service as data.knowledgeObjects.services.dependServicesCount ]\ | stats first(*) as * | fillnull | makejson version(string),data.* output=event | table event [Telemetry: Custom Threshold Windows] search = | savedsearch custom_threshold_windows_telemetry \ | rename cron_schedule as data.cron_schedule \ | rename duration as data.duration \ | rename linked_kpis_count as data.linked_kpis_count \ | makejson version(string),data.* output=event | table event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.customThresholdWindows action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 1 3 * * * dispatch.earliest_time = -1d [Telemetry: Performance metrics] search = index=_internal sourcetype=itsi_internal_log tid transaction_time \ | table method, transaction_time, metric_info* \ | eval params_summary = "" \ | foreach metric_info_* \ [ eval "<>"=coalesce('<>', "NULL") \ | eval params_summary=params_summary.if(<>=="NULL", "", "<>"."=".<>.";")] \ | eval params_summary=rtrim(params_summary, ";") \ | stats sum(transaction_time) as data.cumulativeTime, avg(transaction_time) as data.averageTime, median(transaction_time) as data.medianTime, perc90(transaction_time) as data.p90Time, count as data.numberOfTransactions by method, params_summary \ | eval params_split=split(params_summary, ";") \ | mvexpand params_split \ | rex field=params_split "(?.*)=(?.*)" \ | eval data.{key}=value \ | fields - key, value \ | stats values(*) as * by method, params_summary \ | rename method as data.method \ | makejson data.* output=event \ | eval event=replace(event,"\"\S+?\": \"\",", "") \ | eval event=replace(event,", *\"\S+?\": \"\"}", "}") enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.performanceMetrics action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 1 3 * * * dispatch.earliest_time = -1d [Telemetry: Content Packs] search = | rest splunk_server=local /servicesNS/nobody/-/itoa_interface/content_pack/status | spath input=value output=event "{}"\ | mvexpand event\ | spath input=event output=data.contentPacks._key "_key"\ | spath input=event output=data.contentPacks.installed_versions "installed_versions{}"\ | makejson data.* output=event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.contentPacks action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 5 3 * * * dispatch.earliest_time = -1d [Telemetry: Entity Normalization Generate Results] search = | inputlookup itsi_duplicate_entities_job_queue \ | search mod_source="user_generated" OR mod_source="search_command" \ | search status != "NEW" OR status != "IN_PROGRESS" \ | eval processing_time_in_minutes = if(isnull(complete_timestamp) OR isnull(create_time), -1, \ (tonumber(complete_timestamp) - tonumber(create_time)) / 60) \ | rename * as data.* \ | makejson data.* output=event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.entityNormalizationGeneration action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 0 3 * * * dispatch.earliest_time = -1d [Telemetry: AT Usage] search = | rest /servicesNS/nobody/-/at_usage_data report_as=text | rename value as event | table event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.ATUsage action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 5 3 * * * dispatch.earliest_time = -1d [Telemetry: Event Onboarding Usage] search = | rest /servicesNS/nobody/-/event_management_interface/telemetry/event_onboarding | rename value as event | table event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.EAEventOnboarding action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 5 3 * * * dispatch.earliest_time = -1d [Telemetry: Nats Usage] search = | rest /servicesNS/nobody/-/event_management_interface/telemetry/nats | rename value as event | table event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.EANats action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 5 3 * * * dispatch.earliest_time = -1d [Telemetry: Count of entities by entity type] search = | rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text fields="title,entity_type_ids" \ | eval value=trim(replace(value, "\n", "")) \ | eval value="{\"content\":".value."}" \ | spath input=value output=entities "content{}" \ | table entities \ | mvexpand entities \ | spath input=entities output=title path="title" \ | spath input=entities output=entity_type_ids path="entity_type_ids{}" \ | fillnull value="None" entity_type_ids \ | stats count by entity_type_ids \ | eval entity_type_ids=case( \ [ rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity_type report_as=text fields="_key,_is_from_conf" \ | eval value=trim(replace(value, "\n", "")) \ | eval value="{\"content\":".value."}" \ | spath input=value output=entity_type "content{}" \ | mvexpand entity_type \ | spath input=entity_type output=entity_type_ids "_key" \ | spath input=entity_type output=is_from_conf "_is_from_conf" \ | search is_from_conf=1 \ | table entity_type_ids], entity_type_ids, entity_type_ids="None", entity_type_ids, true(), sha256(entity_type_ids)) \ | rename entity_type_ids as data.entityTypeIds, count as data.countOfAssociatedEntities \ | makejson data.* output=event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.entityTypes action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 2 3 * * * dispatch.earliest_time = -1d [Telemetry: Entity Lifecycle Management] search = | rest /servicesNS/nobody/-/itoa_interface/entity report_as=text \ | eval value=trim(replace(value, "\n", "")) \ | eval value="{\"content\":".value."}" \ | spath input=value output=retired path="content{}.retired" \ | spath input=value output=retirable path="content{}.retirable" \ | fillnull value=0 retirable, retired \ | stats sum(retirable) as retirable, sum(retired) as retired \ | eval count_of_entities = retired + retirable \ | rename retirable AS data.countOfRetirableEntities, retired AS data.countOfRetiredEntities, \ count_of_entities AS data.countOfEntitiesUnderManagement \ | append \ [| rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity_management_policies report_as=text \ | eval value=trim(replace(value, "\n", "")) \ | eval value="{\"content\":".value."}" \ | spath input=value output=entity_type_ids path="content{}.entity_type_ids{}" \ | spath input=value output=disabled path="content{}.disabled" \ | spath input=value output=key path="content{}._key" \ | spath input=value output=period path="content{}.entity_retire_period" \ | spath input=value output=schedule path="content{}.entity_retire_schedule" \ | spath input=value output=autoretire path="content{}.auto_retire" \ | fillnull \ | stats sum(disabled) as count_of_disabled_policies, count(key) as count_of_policies, \ sum(autoretire) as count_of_autoretire_policies, \ dc(entity_type_ids) as count_of_entity_types, list(schedule) AS schedule, list(period) AS period \ | eval policy_schedule=mvzip(period, schedule) \ | mvexpand policy_schedule \ | eval policy_schedule=split(policy_schedule, ",") \ | eval period=mvindex(policy_schedule,0), schedule=mvindex(policy_schedule,1), \ duration=if(schedule=="days", period * 24, period) \ | stats last(count_of_disabled_policies) as count_of_disabled_policies, \ last(count_of_policies) as count_of_policies, \ last(count_of_autoretire_policies) as count_of_autoretire_policies, \ last(count_of_entity_types) as count_of_entity_types, \ avg(duration) AS avg_policy_lookback \ | fillnull value=0 count_of_disabled_policies, count_of_policies, count_of_autoretire_policies, \ count_of_entity_types, avg_policy_lookback \ | eval count_of_enabled_policies=count_of_policies-count_of_disabled_policies \ | fields - count_of_policies \ | rename count_of_entity_types AS data.countOfEntityTypesUnderManagement, \ count_of_enabled_policies AS data.countOfEnabledEntityManagementPolicies, \ count_of_autoretire_policies AS data.countOfAutoRetireEntityManagementPolicies, \ count_of_disabled_policies AS data.countOfDisabledEntityManagementPolicies, \ avg_policy_lookback AS data.avgPolicyLookbackPeriod ] \ | stats first(*) as * \ | fillnull \ | makejson version(string),data.* output=event \ | table event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.entityLifecycleManagement action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 2 3 * * * dispatch.earliest_time = -1d [Telemetry: Entity type-to-entity ratio] search = | rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text fields="title,entity_type_ids" \ | eval value=trim(replace(value, "\n", "")) \ | eval value="{\"content\":".value."}" \ | spath input=value output=title path="content{}.title" \ | spath input=value output=entity_type_ids path="content{}.entity_type_ids{}" \ | stats count(title) as number_of_entities, dc(entity_type_ids) as number_of_entity_types \ | eval data.entityTypeToEntityRatio=number_of_entity_types/number_of_entities \ | rename number_of_entities as data.numberOfEntities, number_of_entity_types as data.numberOfEntityTypes \ | makejson data.* output=event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.entityTypeToEntityRatio action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 3 3 * * * dispatch.earliest_time = -1d [Telemetry: Service-to-entity ratio] search = | rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text fields="title,services" \ | eval value=trim(replace(value, "\n", "")) \ | eval value="{\"content\":".value."}" \ | spath input=value output=title path="content{}.title" \ | spath input=value output=services path="content{}.services{}" \ | stats dc(services) as number_of_services, count(title) as number_of_entities \ | eval data.serviceToEntityRatio=number_of_services/number_of_entities \ | rename number_of_entities as data.numberOfEntities, number_of_services as data.numberOfServices \ | makejson data.* output=event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.serviceToEntityRatio action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 3 3 * * * dispatch.earliest_time = -1d [Telemetry: KPI-to-entity ratio] search = | inputlookup itsi_entity_filter_rules_lookup where entity_info.alias_value=* \ | mvexpand entity_info.alias_value \ | fillnull kpi_id \ | stats count(entity_info.alias_value) as number_of_entities by kpi_id \ | stats count(kpi_id) as number_of_kpis, sum(number_of_entities) as number_of_entities \ | eval number_of_kpis=number_of_kpis - 1 \ | eval data.kpiToEntityRatio=number_of_kpis/number_of_entities \ | rename number_of_kpis as data.numberOfKpis, number_of_entities as data.numberOfEntities \ | makejson data.* output=event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.kpiToEntityRatio action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 3 3 * * * dispatch.earliest_time = -1d [Telemetry: Shared base search-to-entity ratio] search = | inputlookup itsi_entity_filter_rules_lookup where entity_info.alias_value=* \ | mvexpand entity_info.alias_value \ | fillnull base_search_id \ | stats count(entity_info.alias_value) as number_of_entities by base_search_id \ | stats count(base_search_id) as number_of_base_searches, sum(number_of_entities) as number_of_entities \ | eval base_search_id=base_search_id - 1 \ | eval data.sharedBaseSearchToEntityRatio=number_of_base_searches/number_of_entities \ | rename number_of_base_searches as data.numberOfSharedBaseSearches, number_of_entities as data.numberOfEntities \ | makejson data.* output=event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.sharedBaseSearchToEntityRatio action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 4 3 * * * dispatch.earliest_time = -1d [Telemetry: Service-associated entity-to-service-unassociated entity ratio] search = | rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text fields="title,services" \ | eval value=trim(replace(value, "\n", "")) \ | eval value="{\"content\":".value."}" \ | spath input=value output=entities path="content{}" \ | table entities \ | mvexpand entities \ | spath input=entities output=services path="services{}" \ | nomv services \ | fillnull value="{}" services \ | stats dc(entities) as number_of_entities by services \ | eval is_service_associated=if(services == "{}", 0, number_of_entities) \ | eval is_service_unassociated=if(services == "{}", number_of_entities, 0) \ | stats sum(is_service_associated) as service_associated_entities, sum(is_service_unassociated) as service_unassociated_entities \ | eval data.serviceAssociatedEntityToServiceUnassociatedEntityRatio=service_associated_entities/service_unassociated_entities \ | rename service_associated_entities as data.numberOfServiceAssociatedEntities, service_unassociated_entities as data.numberOfServiceUnassociatedEntities \ | makejson data.* output=event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.serviceAssociatedEntityToServiceUnassociatedEntityRatio action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 4 3 * * * dispatch.earliest_time = -1d [Telemetry: Roles by user] search = | rest splunk_server=local /services/authentication/users \ | table title, roles \ | eval \ [| rest splunk_server=local /servicesNS/nobody/splunk_instrumentation/telemetry \ | table telemetrySalt \ | format \ | rex field=search mode=sed "s/[()]//g"] \ | eval data.user=sha256(telemetrySalt + title) \ | mvexpand roles \ | eval roles=case(in(roles, "admin", "sc_admin", "power", "user", "itoa_admin", "itoa_team_admin", "itoa_analyst", \ "itoa_user"), roles, true(), sha256(telemetrySalt + roles)) \ | mvcombine roles \ | eval combined_roles=mvjoin(roles, ";") \ | stats dc(data.user) as num_of_users by combined_roles \ | eval roles=split(combined_roles, ";") \ | rename roles as data.roles, num_of_users as data.numOfUsers \ | makejson data.* output=event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.rolesByUser action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 4 3 */7 * * dispatch.earliest_time = -1d [Telemetry: Vital metrics by entity type] search = | rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity_type report_as=text fields="_key,_is_from_conf,vital_metrics" \ | eval value=trim(replace(value, "\n", "")) \ | eval value="{\"content\":".value."}" \ | spath input=value output=entity_type_data "content{}" \ | mvexpand entity_type_data \ | spath input=entity_type_data output=vital_metrics "vital_metrics{}.metric_name" \ | spath input=entity_type_data output=is_from_conf "_is_from_conf" \ | spath input=entity_type_data output=entity_type "_key" \ | table entity_type, is_from_conf, vital_metrics \ | eval entity_type=case(is_from_conf==1, entity_type, true(), sha256(entity_type)) \ | eval vital_metrics_count=mvcount(vital_metrics) \ | rename entity_type as data.entityType, vital_metrics_count as data.vitalMetricsCount \ | makejson data.* output=event enableSched=1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.vitalMetricsByEntityType action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 4 3 */7 * * dispatch.earliest_time = -1d [Telemetry: Calculation Window Usage] enableSched = 1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.calculationWindowUsage action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 10 3 * * * dispatch.earliest_time = -1d search = | inputlookup calculation_window_telemetry_lookup \ | eval zipped = mvzip('kpis.title', 'kpis.search_alert_earliest' , "==@@==") \ | fields - kpis.title, kpis.search_alert_earliest \ | mvexpand zipped \ | eval x = split(zipped,"==@@==") \ | eval kpi_title = mvindex(x, 0) \ | eval calculation_window_value = mvindex(x, 1) \ | fields - x, zipped \ | where kpi_title!="ServiceHealthScore" \ | stats count by calculation_window_value \ | eval windowType = if(calculation_window_value == 1 or calculation_window_value == 5 or calculation_window_value == 15 or calculation_window_value == 1440, "predefinedWindow", "customWindow") \ | eval group = json_object("calculationWindowValue", calculation_window_value, "count", count) \ | stats list(group) as group, sum(count) as total by windowType \ | eval group = mv_to_json_array(group, true()) \ | stats list(group) as group, list(windowType) as windowType, list(total) as total \ | eval event = json_object("data", json_object(mvindex(windowType,0), json_object("calculationWindowValueCount", json_array(), "totalCount", mvindex(total, 0)), mvindex(windowType,1), json_object("calculationWindowValueCount", json_array(), "totalCount", mvindex(total, 1)))) \ | eval event = json_extend(event, "data.customWindow.calculationWindowValueCount", mvindex(group, 0)) \ | eval event = json_extend(event, "data.predefinedWindow.calculationWindowValueCount", mvindex(group, if(mvindex(windowType, 0) == "predefinedWindow", 0, 1 ))) \ | table event [Telemetry: Sandbox Services] search = index=_internal source="*itsi_command_itsi_import_objects.log" "Sandbox service bulk import report" \ | rex field=_raw "services: (?\d*)" \ | table bulk_import_tmp \ | append \ [ search index=_internal source="*itsi_appserver.log" "Successfully added service" \ | eval ad-hoc_individual_service=if(isnull(base_service_template_id),1, 0) \ | eval template_individual_service=if(not isnull(base_service_template_id),1, 0) \ | table ad-hoc_individual_service, template_individual_service] \ | stats sum(bulk_import_tmp) as data.bulk_import_services, sum(ad-hoc_individual_service) as data.ad-hoc_individual_services, \ sum(template_individual_service) as data.template_individual_services \ | makejson data.* output=event enableSched = 1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.sandboxServiceCreation action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 11 3 * * * dispatch.earliest_time = -1d [Telemetry: Entity Discovery Search Cleanup Command] search = index=_internal sourcetype=itsi_internal_log "itsi_entity_discovery_search_cleaner" \ | rex "'tid': '(?.*)', '_raw'" \ | rex "Total entities processed so far: (?.*)" \ | rex "'log_level': '(?.*)', '" \ | eval has_error=if(like(errors, "%ERROR%" ), 1, 0) \ | stats values(cleaned_entities) AS cleaned_entities sum(has_error) AS has_error values(host) AS host \ values(roles_for_current_user) AS roles_for_current_user by tid \ | append [search index=_internal sourcetype=itsi_internal_log "itsi_entity_discovery_search_cleaner" \ method=CleanEntityDiscoverySearches.generate AND NOT isnull(end_time) | eval start_time_int=tonumber(start_time) \ | eval end_time_int=tonumber(end_time) | table tid, start_time_int, end_time_int] \ | stats values(*) as * by tid \ | fillnull cleaned_entities value=0 \ | rename * as data.* \ | makejson data.* output=event enableSched = 1 action.outputtelemetry = 1 action.outputtelemetry.param.anonymous = 1 action.outputtelemetry.param.support = 1 action.outputtelemetry.param.license = 0 action.outputtelemetry.param.optinrequired = 3 action.outputtelemetry.param.component = app.ITSI.entityDiscoverySearchCleanupCommand action.outputtelemetry.param.input = event action.outputtelemetry.param.type = aggregate cron_schedule = 0 2 * * * dispatch.earliest_time = -1d ############################################################### # ITSI Import Entity ############################################################### [ITSI Import Objects - VMware Datastore] action.itsi_import_objects = 1 action.itsi_import_objects.param.entity_identifier_fields = itsi_entity_id action.itsi_import_objects.param.entity_informational_fields = pool_name,entity_type, moid,vcenter action.itsi_import_objects.param.entity_merge_field = itsi_entity_id action.itsi_import_objects.param.entity_title_field = name action.itsi_import_objects.param.entity_type_field = etype action.itsi_import_objects.param.update_type = upsert cron_schedule = */10 * * * * dispatch.earliest_time = -15m dispatch.latest_time = now enableSched = 1 search = | mcatalog values(name) as name, values(pool_name) as pool_name, values(entity_type) as entity_type \ where `itsi_entity_type_vmware_datastore_metrics_indexes` AND metric_name=vsphere.datastore* by moid, vcenter \ | eval etype="VMware Datastore" , itsi_entity_id=moid."_".vcenter disabled = 0 ############################################################### # ITSI - workaround for entity type with multiple alias ############################################################### [ITSI Import Objects - VMWare Cluster] action.itsi_import_objects = 1 action.itsi_import_objects.param.entity_identifier_fields = itsi_entity_id action.itsi_import_objects.param.entity_informational_fields = entity_type,pool_name,moid,vcenter action.itsi_import_objects.param.entity_merge_field = itsi_entity_id action.itsi_import_objects.param.entity_title_field = name action.itsi_import_objects.param.entity_type_field = etype action.itsi_import_objects.param.update_type = upsert cron_schedule = */5 * * * * dispatch.earliest_time = -1h dispatch.latest_time = now enableSched = 1 search = | mcatalog values(entity_type) as entity_type, values(name) as name, values(pool_name) as pool_name \ where `itsi_entity_type_vmware_cluster_metrics_indexes` AND metric_name=vsphere.cluster* by moid, vcenter \ | eval etype="VMware Cluster" , itsi_entity_id=moid."_".vcenter disabled = 0 [ITSI Import Objects - VMware VM] action.itsi_import_objects = 1 action.itsi_import_objects.param.entity_identifier_fields = itsi_entity_id,uuid action.itsi_import_objects.param.entity_informational_fields = cluster,cluster_name,datastore,hypervisor,hypervisor_name,ip,os,pool_name,resourcepool,moid,vcenter action.itsi_import_objects.param.entity_merge_field = uuid action.itsi_import_objects.param.entity_title_field = name action.itsi_import_objects.param.entity_type_field = etype action.itsi_import_objects.param.update_type = upsert action.itsi_import_objects.param.entity_merge_fqdn = 1 cron_schedule = */2 * * * * dispatch.earliest_time = -5m dispatch.latest_time = now enableSched = 1 search = | mcatalog values("uuid") as "dimension.identifier.uuid" [ mcatalog values(_dims) as info \ where metric_name=vsphere.vm.* AND (`itsi_entity_type_vmware_vm_metrics_indexes`) earliest=-300s \ | append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time] \ | mvexpand info| search info != "instance" AND info != "unit" AND info != "vmware_metric_aggregation" AND \ info != "host" AND info != "uuid" \ | eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \ | fields search| mvcombine search| nomv search] where metric_name=vsphere.vm.* AND (`itsi_entity_type_vmware_vm_metrics_indexes`) \ earliest=-300s by "uuid"| fields dimension.* \ | eval identifier_dimensions="uuid" \ | foreach dimension.*[| eval is_identifier=if(match("<>", "identifier"), 1, 0) \ | eval dimension_key=substr("<>", len(if(is_identifier=1, "identifier.", "info.")) + 1), etype="VMware VM"] \ | rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=moid."_".vcenter disabled = 0 [ITSI Import Objects - VMware vCenter] action.itsi_import_objects = 1 action.itsi_import_objects.param.entity_identifier_fields = vcenter,itsi_entity_id action.itsi_import_objects.param.entity_informational_fields = moid,pool_name,instance action.itsi_import_objects.param.entity_merge_field = vcenter action.itsi_import_objects.param.entity_title_field = vcenter action.itsi_import_objects.param.entity_type_field = etype action.itsi_import_objects.param.update_type = upsert cron_schedule = */5 * * * * dispatch.earliest_time = -1h dispatch.latest_time = now enableSched = 1 search = | mcatalog values("vcenter") as "dimension.identifier.vcenter" [ mcatalog values(_dims) as info \ where metric_name=vsphere.vc.* AND (`itsi_entity_type_vmware_vcenter_metrics_indexes`) earliest=-3600s \ | append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time] \ | mvexpand info| search info != "unit" AND info != "host" AND info != "vcenter" AND info != "vmware_metric_aggregation"\ | eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\""| fields search| \ mvcombine search| nomv search] where metric_name=vsphere.vc.* AND (`itsi_entity_type_vmware_vcenter_metrics_indexes`) earliest=-3600s by "vcenter" \ | fields dimension.* \ | eval identifier_dimensions="vcenter" \ | foreach dimension.*[| eval is_identifier=if(match("<>", "identifier"), 1, 0) \ | eval dimension_key=substr("<>", len(if(is_identifier=1, "identifier.", "info.")) + 1), etype="VMware vCenter"] \ | rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=moid."_".vcenter disabled = 0 [ITSI Import Objects - VMware Host] action.itsi_import_objects = 1 action.itsi_import_objects.param.entity_identifier_fields = name,itsi_entity_id,uuid action.itsi_import_objects.param.entity_informational_fields = moid,cluster,cluster_name,datastore,os,os_version,pool_name,vcenter action.itsi_import_objects.param.entity_merge_field = uuid action.itsi_import_objects.param.entity_title_field = name action.itsi_import_objects.param.entity_type_field = etype action.itsi_import_objects.param.update_type = upsert dispatch.earliest_time = -4m dispatch.latest_time = now enableSched = 1 cron_schedule = */2 * * * * search = | mcatalog values("uuid") as "dimension.identifier.uuid" [ mcatalog values(_dims) as info \ where metric_name=vsphere.esxihost.* AND (`itsi_entity_type_vmware_esxihost_metrics_indexes`) earliest=-240s \ | append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time] \ | mvexpand info| search info != "instance" AND info != "unit" AND info != "vmware_metric_aggregation" AND \ info != "host" AND info != "uuid" \ | eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \ | fields search| mvcombine search \ | nomv search] where metric_name=vsphere.esxihost.* AND (`itsi_entity_type_vmware_esxihost_metrics_indexes`) earliest=-240s by "uuid" \ | fields dimension.* \ | eval identifier_dimensions="uuid" \ | foreach dimension.*[| eval is_identifier=if(match("<>", "identifier"), 1, 0) \ | eval dimension_key=substr("<>", len(if(is_identifier=1, "identifier.", "info.")) + 1), etype="VMware ESXi Host"] \ | rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=moid."_".vcenter disabled = 0 [ITSI Import Objects - TA *Nix] action.itsi_import_objects = 1 action.itsi_import_objects.param.entity_identifier_fields = host,itsi_entity_id action.itsi_import_objects.param.entity_informational_fields = location,os,server,tag,ip,ipv6 action.itsi_import_objects.param.entity_merge_field = host action.itsi_import_objects.param.entity_title_field = host action.itsi_import_objects.param.entity_type_field = etype action.itsi_import_objects.param.update_type = upsert dispatch.earliest_time = -90s dispatch.latest_time = now enableSched = 1 cron_schedule = * * * * * search = | mcatalog values("host") as "dimension.identifier.host" \ [ mcatalog values(_dims) as info where metric_name=*_metric.* AND (`itsi_entity_type_ta_nix_metrics_indexes`) earliest=-90s \ | append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time]| mvexpand info \ | search info != "punct" AND info != "val" AND info != "metric_type" AND info != "extracted_host" AND \ info != "COMMAND" AND info != "CPU" AND info != "Device" AND info != "Filesystem" AND info != "MountedOn" AND \ info != "Name" AND info != "PID" AND info != "Type" AND info != "USER" AND info != "ARGS" AND info != "Duplex" AND \ info != "MAC" AND info != "Speed" AND info != "inet6Addr" AND info != "inetAddr" AND info != "RXdropped" AND \ info != "TXdropped" AND info != "host"| \ eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\""| fields search| \ mvcombine search| nomv search] where metric_name=*_metric.* AND (`itsi_entity_type_ta_nix_metrics_indexes`) earliest=-90s by "host" \ | fields dimension.* \ | eval identifier_dimensions="host" \ | foreach dimension.*[| eval is_identifier=if(match("<>", "identifier"), 1, 0) \ | eval dimension_key=substr("<>", len(if(is_identifier=1, "identifier.", "info.")) + 1)] \ | rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=host, etype="Unix/Linux Add-on", ip=IP_address, ipv6=IPv6_address disabled = 0 [ITSI Import Objects - Perfmon] action.itsi_import_objects = 1 action.itsi_import_objects.param.entity_identifier_fields = host,itsi_entity_id action.itsi_import_objects.param.entity_informational_fields = os,ip,ipv6,os_version action.itsi_import_objects.param.entity_merge_field = host action.itsi_import_objects.param.entity_title_field = host action.itsi_import_objects.param.entity_type_field = etype action.itsi_import_objects.param.update_type = upsert dispatch.earliest_time = -90s dispatch.latest_time = now enableSched = 1 cron_schedule = * * * * * search = | mcatalog values("host") as "dimension.identifier.host" \ [ mcatalog values(_dims) as info where metric_name=Processor.* OR metric_name=processor.* AND (`itsi_entity_type_windows_metrics_indexes`) \ earliest=-90s| append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time]| mvexpand info| \ search info != "punct" AND info != "val" AND info != "metric_type" AND info != "instance" AND \ info != "extracted_host" AND info != "cpu" AND info != "disk" AND info != "collection" AND info != "object" AND \ info != "host"| eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \ | fields search| mvcombine search| nomv search] where metric_name=Processor.* OR metric_name=processor.* AND \ (`itsi_entity_type_windows_metrics_indexes`) earliest=-90s by "host"| fields dimension.* \ | eval identifier_dimensions="host" \ | foreach dimension.*[| eval is_identifier=if(match("<>", "identifier"), 1, 0) \ | eval dimension_key=substr("<>", len(if(is_identifier=1, "identifier.", "info.")) + 1), etype="Windows"] \ | rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=host disabled = 0 [ITSI Import Objects - OS] action.itsi_import_objects = 1 action.itsi_import_objects.param.entity_identifier_fields = host,itsi_entity_id action.itsi_import_objects.param.entity_informational_fields = ip,kernel_version,os,os_version,ipv6 action.itsi_import_objects.param.entity_merge_field = host action.itsi_import_objects.param.entity_title_field = host action.itsi_import_objects.param.entity_type_field = etype action.itsi_import_objects.param.update_type = upsert dispatch.earliest_time = -90s dispatch.latest_time = now enableSched = 1 cron_schedule = * * * * * search = | mcatalog values("host") as "dimension.identifier.host" \ [ mcatalog values(_dims) as info where metric_name=cpu.* AND (`itsi_entity_type_nix_metrics_indexes`) earliest=-90s \ | append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time] \ | mvexpand info| search info != "punct" AND info != "val" AND info != "metric_type" AND \ info != "cpu" AND info != "extracted_host" AND info != "host" \ | eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\""| fields search \ | mvcombine search| nomv search] where metric_name=cpu.* AND (`itsi_entity_type_nix_metrics_indexes`) earliest=-90s by "host" \ | fields dimension.* \ | eval identifier_dimensions="host" \ | foreach dimension.*[| eval is_identifier=if(match("<>", "identifier"), 1, 0) \ | eval dimension_key=substr("<>", len(if(is_identifier=1, "identifier.", "info.")) + 1), etype="*nix"] \ | rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=host disabled = 0 [ITSI Import Objects - AWS Cloudwatch EBS] action.itsi_import_objects = 1 action.itsi_import_objects.param.entity_identifier_fields = VolumeId,itsi_entity_id action.itsi_import_objects.param.entity_informational_fields = region action.itsi_import_objects.param.entity_merge_field = VolumeId action.itsi_import_objects.param.entity_title_field = VolumeId action.itsi_import_objects.param.entity_type_field = action.itsi_import_objects.param.update_type = upsert dispatch.earliest_time = -20m dispatch.latest_time = now enableSched = 1 cron_schedule = */3 * * * * search = | mcatalog values("VolumeId") as "dimension.identifier.VolumeId" \ [ mcatalog values(_dims) as info where metric_name=AWS/EBS* AND (`itsi_im_metrics_indexes`) earliest=-1200s \ | append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time]| mvexpand info \ | search info != "punct" AND info != "val" AND info != "metric_type" AND info != "unit" AND info != "host" AND \ info != "MetricName" AND info != "Period" AND info != "VolumeId" \ | eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \ | fields search| mvcombine search| nomv search] where metric_name=AWS/EBS* AND \ (`itsi_im_metrics_indexes`) earliest=-1200s by "VolumeId"| fields dimension.* \ | eval identifier_dimensions="VolumeId" \ | foreach dimension.*[| eval is_identifier=if(match("<>", "identifier"), 1, 0) \ | eval dimension_key=substr("<>", len(if(is_identifier=1, "identifier.", "info.")) + 1)] \ | rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=VolumeId disabled = 0 [ITSI Import Objects - AWS Cloudwatch EC2] action.itsi_import_objects = 1 action.itsi_import_objects.param.entity_identifier_fields = InstanceId,itsi_entity_id action.itsi_import_objects.param.entity_informational_fields = entity_class,region action.itsi_import_objects.param.entity_merge_field = InstanceId action.itsi_import_objects.param.entity_title_field = InstanceId action.itsi_import_objects.param.entity_type_field = action.itsi_import_objects.param.update_type = upsert dispatch.earliest_time = -20m dispatch.latest_time = now enableSched = 1 cron_schedule = */3 * * * * search = | mcatalog values("InstanceId") as "dimension.identifier.InstanceId" \ [ mcatalog values(_dims) as info where metric_name=AWS/EC2* AND (`itsi_im_metrics_indexes`) earliest=-1200s \ | append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time]| mvexpand info \ | search info != "punct" AND info != "val" AND info != "metric_type" AND info != "unit" AND info != "host" AND \ info != "MetricName" AND info != "Period" AND info != "InstanceId"| \ eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \ | fields search| mvcombine search \ | nomv search] where metric_name=AWS/EC2* AND (`itsi_im_metrics_indexes`) earliest=-1200s by "InstanceId" \ | fields dimension.* \ | eval identifier_dimensions="InstanceId" \ | foreach dimension.*[| eval is_identifier=if(match("<>", "identifier"), 1, 0) \ | eval dimension_key=substr("<>", len(if(is_identifier=1, "identifier.", "info.")) + 1)] \ | rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=InstanceId disabled = 0 [ITSI Import Objects - AWS Cloudwatch ELB] action.itsi_import_objects = 1 action.itsi_import_objects.param.entity_identifier_fields = LoadBalancerName,itsi_entity_id action.itsi_import_objects.param.entity_informational_fields = AvailabilityZone,region action.itsi_import_objects.param.entity_merge_field = LoadBalancerName action.itsi_import_objects.param.entity_title_field = LoadBalancerName action.itsi_import_objects.param.entity_type_field = action.itsi_import_objects.param.update_type = upsert dispatch.earliest_time = -20m dispatch.latest_time = now enableSched = 1 cron_schedule = */3 * * * * search = | mcatalog values("LoadBalancerName") as "dimension.identifier.LoadBalancerName" \ [ mcatalog values(_dims) as info where metric_name=AWS/ELB* AND (`itsi_im_metrics_indexes`) earliest=-1200s \ | append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time]| mvexpand info \ | search info != "punct" AND info != "val" AND info != "metric_type" AND info != "unit" AND info != "host" AND \ info != "MetricName" AND info != "Period" AND info != "LoadBalancerName" \ | eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \ | fields search| mvcombine search| nomv search] where metric_name=AWS/ELB* AND (`itsi_im_metrics_indexes`) \ earliest=-1200s by "LoadBalancerName"| fields dimension.* \ | eval identifier_dimensions="LoadBalancerName" \ | foreach dimension.*[| eval is_identifier=if(match("<>", "identifier"), 1, 0) \ | eval dimension_key=substr("<>", len(if(is_identifier=1, "identifier.", "info.")) + 1)] \ | rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=LoadBalancerName disabled = 0 [ITSI Import Objects - Kubernetes Node] action.itsi_import_objects = 1 action.itsi_import_objects.param.entity_identifier_fields = node,itsi_entity_id action.itsi_import_objects.param.entity_informational_fields = cluster_name action.itsi_import_objects.param.entity_merge_field = node action.itsi_import_objects.param.entity_title_field = node action.itsi_import_objects.param.entity_type_field = etype action.itsi_import_objects.param.update_type = upsert dispatch.earliest_time = -10m dispatch.latest_time = now enableSched = 1 cron_schedule = */3 * * * * search = | mcatalog values("node") as "dimension.identifier.node" \ [ mcatalog values(_dims) as info where metric_name=kube.node.* AND (`itsi_entity_type_k8s_node_metrics_indexes`) earliest=-600s \ | append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time] \ | mvexpand info| search info != "punct" AND info != "val" AND info != "metric_type" AND info != "unit" AND \ info != "host" AND info != "extracted_source" AND info != "device" AND info != "interface" AND info != "type" AND \ info != "node"| eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \ | fields search| mvcombine search| nomv search] where metric_name=kube.node.* AND (`itsi_entity_type_k8s_node_metrics_indexes`) \ earliest=-600s by "node"| fields dimension.* \ | eval identifier_dimensions="node" \ | foreach dimension.*[| eval is_identifier=if(match("<>", "identifier"), 1, 0) \ | eval dimension_key=substr("<>", len(if(is_identifier=1, "identifier.", "info.")) + 1), etype="Kubernetes Node"] \ | rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=node disabled = 0 [ITSI Import Objects - Kubernetes Pod] action.itsi_import_objects = 1 action.itsi_import_objects.param.entity_identifier_fields = pod-namespace,pod-name,itsi_entity_id,pod-uid action.itsi_import_objects.param.entity_informational_fields = node,cluster_name action.itsi_import_objects.param.entity_merge_field = pod-name action.itsi_import_objects.param.entity_title_field = pod-name action.itsi_import_objects.param.entity_type_field = etype action.itsi_import_objects.param.update_type = upsert dispatch.earliest_time = -10m dispatch.latest_time = now enableSched = 1 cron_schedule = */3 * * * * search = | mcatalog values("pod-name") as "dimension.identifier.pod-name" values("pod-namespace") as \ "dimension.identifier.pod-namespace" [ mcatalog values(_dims) as info where metric_name=kube.pod.* AND \ (`itsi_entity_type_k8s_pod_metrics_indexes`) earliest=-600s| append [ | makeresults | head 1 | eval info="no-data-placeholder" \ | fields - _time]| mvexpand info| search info != "punct" AND info != "val" AND info != "metric_type" AND \ info != "unit" AND info != "host" AND info != "extracted_source" AND info != "pod-name" AND \ info != "pod-namespace"| eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \ | fields search| mvcombine search| nomv search] where metric_name=kube.pod.* AND (`itsi_entity_type_k8s_pod_metrics_indexes`) \ earliest=-600s by "pod-name","pod-namespace"| fields dimension.* \ | eval identifier_dimensions="pod-name,pod-namespace" \ | makemv delim="," identifier_dimensions \ | foreach dimension.*[| eval is_identifier=if(match("<>", "identifier"), 1, 0) \ | eval dimension_key=substr("<>", len(if(is_identifier=1, "identifier.", "info.")) + 1)] \ | rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id='pod-namespace'."_".'pod-name', etype="Kubernetes Pod" disabled = 0 [Entity Lifecycle Management - Unmark Retirable Search] dispatch.earliest_time = -1d dispatch.latest_time = now enableSched = 1 cron_schedule = 6 0 * * * # A result is required to hit the custom search command search = | setretiredentities clear_retirable=true disabled = 1 [Cleanup Models For Predictive Analytics] action.email.useNSSubject = 1 alert.track = 0 cron_schedule = 0 1 * * * description = Clean up models that is 24 hours old and not saved in any service models. display.general.timeRangePicker.show = 0 dispatch.earliest_time = -24h dispatch.latest_time = now enableSched = 1 search = | listmodels\ | rename name AS model_name\ | rex field=model_name "itsi_predict_.*_*[a-zA-Z]*_[a-z0-9]*_(?[0-9]+)[a-z_]*$"\ | search NOT\ [| getservice\ | where isnotnull(algorithms)\ | rex field=algorithms "'modelId': '(?itsi_predict_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-zA-Z]*_[a-f0-9]*_[0-9]*)'" max_match=5\ | fields model_name\ | mvexpand model_name\ | eval a=model_name."_avg", b=model_name."_ss", c=model_name."_worst"\ | eval model_name=a.",".b.",".c\ | fields model_name\ | makemv delim="," model_name\ | mvexpand model_name]\ | appendpipe\ [| search model_name="*kpi*"\ | rex field=model_name "itsi_predict_kpi_[hs]s_(?[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*)"\ | search\ [| getservice\ | where isnotnull(algorithms)\ | rex field=algorithms "'modelId': 'itsi_predict_(?[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*)_[a-zA-Z]*_[a-f0-9]*_[0-9]*'"\ | search sid=*\ | fields sid]\ | fields model_name]\ | sort - model_name\ | eventstats count(model_name) as ct by model_name\ | where ct < 2\ | where ts/1000 < relative_time(now(), "-1d@d")\ | map search="| deletemodel $model_name$" maxsearches=100 [entity_discovery_search_cleaner] description = Cleans up disabled/deleted discovery searches from entities and caches dispatch.earliest_time = -1d dispatch.latest_time = now enableSched = 1 cron_schedule = 13 0 * * * search = | cleanupentitydiscoverysearches disabled = 1