# This is an example savedsearches.conf. Use this file to configure # saved searches. # # To use one or more of these configurations, copy the configuration block # into savedsearches.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/local. # You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles [Test ITSI Reporting Search] cron_schedule = */5 * * * * disabled = False dispatch.earliest_time = -5m dispatch.latest_time = now enableSched = True search = | stats count | eval demo="Demo Search" | fields - count action.itsi_event_generator = 1 action.itsi_event_generator.param.title = "Host $result.host$ is down" action.itsi_event_generator.param.description = Test if host $result.host$ is down or not action.itsi_event_generator.param.owner = admin action.itsi_event_generator.param.status = 1 action.itsi_event_generator.param.severity = 2 action.itsi_event_generator.param.drilldown_search_title = Raw search of seeing $result.host$ events action.itsi_event_generator.param.drilldown_search_search= index=_internal host="$result.host$" action.itsi_event_generator.param.drilldown_search_latest_offset = 30 action.itsi_event_generator.param.drilldown_search_earliest_offset = -30 action.itsi_event_generator.param.drilldown_title = Go to deep dive "$result.sourcetype$" action.itsi_event_generator.param.drilldown_uri = "/en-US/app/itsi/search/" [Test ITSI Notable Event Search] cron_schedule = */5 * * * * disabled = False dispatch.earliest_time = -5m dispatch.latest_time = now enableSched = True search = index=_internal | head 4 alert.digest_mode = 0 action.itsi_event_generator = 1 action.itsi_event_generator.param.title = "Host $result.host$ is down" action.itsi_event_generator.param.description = Test if host $result.host$ is down or not action.itsi_event_generator.param.owner = admin action.itsi_event_generator.param.status = 1 action.itsi_event_generator.param.severity = 2 action.itsi_event_generator.param.drilldown_search_title = Raw search of seeing $result.host$ events action.itsi_event_generator.param.drilldown_search_search= index=_internal host=$result.host$ action.itsi_event_generator.param.drilldown_search_latest_offset = 30 action.itsi_event_generator.param.drilldown_search_earliest_offset = -30 action.itsi_event_generator.param.drilldown_title = Go to deep dive "$result.sourcetype$" action.itsi_event_generator.param.drilldown_uri = "/en-US/app/itsi/search/"