# Collection for storing services and entities.
[itsi_services]
accelerated_fields.identifying_name_accel = {"identifying_name": 1, "object_type": 1}
accelerated_fields.identifier_values_accel = {"identifier.values": 1, "object_type": 1}
accelerated_fields.title_accel = {"title": 1, "object_type": 1}
accelerated_fields.kpi_id_accel = {"kpis._key": 1, "object_type": 1}
accelerated_fields.entity_type_ids_accel = {"entity_type_ids":1, "object_type": 1}
accelerated_fields._itsi_identifier_lookups_accel = {"_itsi_identifier_lookups": 1, "object_type": 1}
accelerated_fields.objtype_secgrp_accel = {"object_type": 1, "sec_grp": 1}

# Collection for drift detection objects
[itsi_drift_detection_template]

# Collection for storing entity types.
[itsi_entity_type]

# Collection for storing service template objects.
[itsi_base_service_template]
accelerated_fields.identifying_name_accel = {"identifying_name": 1}
accelerated_fields.objtype_secgrp_accel = {"object_type": 1, "sec_grp": 1}

# Collection for storing teams.
[itsi_team]
accelerated_fields.identifying_name_accel = {"identifying_name": 1}

# Collection for storing glass tables and deep dives.
[itsi_pages]
accelerated_fields.identifying_name_accel = {"identifying_name": 1}

# Collection for storing service analyzers.
[itsi_service_analyzer]

# Collection for storing ITSI migration data.
[itsi_migration]

# Collection for storing ITSI migration status data.
[itsi_migration_status]

# Collection that acts as a queue to execute the migration.
[itsi_migration_queue]

# Job queue for the ITSI refresher modular input.
[itsi_refresh_queue]
accelerated_fields.create_time_accel = {"create_time": 1}

# Data structures for the ITSI KPI backfill jobs. Used to submit backfill requests from the client.
# Consumed and updated by the backfill job processor modular input.
[itsi_backfill]

# Temporary storage for KPIs being edited but not yet saved, for use in adaptive thresholding.
[itsi_temporary_storage]

# Collection for storing maintenance calendars and their configurations.
[maintenance_calendar]
accelerated_fields.start_time_accel = {"start_time": -1}

[operative_maintenance_log]
accelerated_fields.maintenance_object_key_accel = {"maintenance_object_key": 1}

# Collection for storing episode tags and comments.
# Define episode schema tag here.
[itsi_notable_event_tag]
field.create_time = time
field.mod_time = time
field.event_id = string
field.tag_name = string
accelerated_fields.default = {"tag_name": 1}
accelerated_fields.mod_time = {"mod_time": 1}

# Collection for storing internal itsi feature flags
[itsi_features]

#### THIS COLLECTION IS DEPRECATED AS OF 4.4.0
# Collection for storing notable event comments.
[itsi_notable_event_comment]
field.create_time = time
field.mod_time = time
field.event_id = string
field.comment = string
field.user = string
accelerated_fields.mod_time = {"mod_time": 1}

#### THIS COLLECTION IS DEPRECATED AS OF 4.0.0
# Collection for storing notable event state.
[itsi_notable_event_group]
accelerated_fields.mod_time = {"mod_time": 1}

# Collection only used for High Scale EA
# Collection that acts as a queue to execute episode actions from High Scale EA.
# This collection will not have consumer IDs. A process will run to fetch actions from this
# collection, assign consumer IDs to them, and put those actions in itsi_notable_event_actions_queue
[itsi_notable_event_actions_queue_tmp]
accelerated_fields.create_time_accel = {"create_time": 1}

# Collection that acts as a queue to execute episode actions from the Rules Engine.
[itsi_notable_event_actions_queue]
accelerated_fields.create_time_accel = {"create_time": 1}

# Temporary queue to claim batch ID.
[itsi_temp_batch_claimed_action_queue]

#### THIS COLLECTION IS DEPRECATED AS OF 4.0.0
# Collection for storing updates to notable event state.
[itsi_notable_event_state]
accelerated_fields.mod_time = {"mod_time": 1}

# Collection for storing ITSI event management objects.
[itsi_event_management]

# Collection for storing information about external tickets corresponding to ITSI episodes.
[itsi_notable_event_ticketing]
accelerated_fields.mod_time = {"mod_time": 1}
accelerated_fields.event_id = {"event_id": 1}
field.mod_time = time
field.create_time = time

# Collection for storing URL links for episodes.
[itsi_notable_event_ref_url]
accelerated_fields.mod_time = {"mod_time": 1}
field.mod_time = time

# Collection for storing email templates.
[itsi_notable_event_email_template]

# Job queue for ITSI backup and restore.
[itsi_backup_restore_queue]

# Job queue for summary to metrics index migration.
[itsi_metrics_backfill_queue]

# Collection for storing rules and policies pertaining to notable events and other objects.
[itsi_notable_event_aggregation_policy]

# Collection used to save existing system users. Used by Episode Review.
[itsi_user_realnames]
field.user     = string
field.realname = string

## Collection for storing group templates identified by analysing historical notable events.
[itsi_correlation_engine_group_template]

# Collection for storing entity relationships.
[itsi_entity_relationships]
accelerated_fields.source_pre_accel = {"subject_identifier": 1, "predicate": 1}
accelerated_fields.object_pre_accel = {"object_identifier": 1, "predicate": 1}
accelerated_fields.triple_accel = {"subject_identifier": 1, "object_identifier": 1, "predicate": 1}

# Collection for storing entity relationship rules.
[itsi_entity_relationship_rules]

# Collection for storing entity filter rules to act as a local cache.
[itsi_entity_filter_rules]

# Collection to store entity discovery search's execution information
[itsi_entity_discovery_search]

# Collections for storing the last generated alert values for KPIs. This collection is specifically used when
# "Fill Data Gaps" is set to "Last Available Value" for KPIs. It stores the last generated alert values
# for KPIs and uses the collection to override data gaps (N/A values) with cached alert values in the
# collection. This collection is used at run time in KPI saved searches through KV store lookup.
# The mod_time field must be a time field, as it is needed for the retention policy to work correctly for
# entries in the collection.
[itsi_kpi_summary_cache]
field.mod_time = time

# A collection for storing mutable states of episodes.
[itsi_notable_group_user]
accelerated_fields.mod_time = {"mod_time": 1}
field.mod_time = time

# A collection for storing immutable internal states of episodes.
[itsi_notable_group_system]
accelerated_fields.mod_time = {"mod_time": 1}
accelerated_fields.is_active = {"is_active": 1}
field.mod_time = time
field.start_time = time
field.last_time = time
field.is_active = number
field.event_count = number

# A collection for storing KPI severity states.
[itsi_kpi_state_cache]

# A collection for storing any counter across the lifetime of the Rules Engine.
# _key is the name of the counter.
[itsi_counter]
field.value = number

# A collection that takes a snapshot of your current ITSI configuration in .conf files.
# This information is used to enable and disable ITSI.
[itsi_configuration_snapshot]

# Collection to store checksums of rows in a recurring bulk import.
# _key is the name of the recurring import
[itsi_import_objects_cache]

# Collection to cache liveness-based status information of non-materialized entity (i.e. the actual
# entity saved into the entity kvstore could be a merge of multiple non-materialized entities) namespaced
# by the bulk import savedsearch that discovers them.
[itsi_bulk_import_entities_status_cache]

## Collection to support the Splunk App for Content Packs UI. Stores information on installed versions of content packs.
[itsi_content_pack_status]

## Collection to support the Splunk App for Content Packs UI. Stores information on saved searches enabled, disabled and total count of content packs.
[itsi_content_pack_saved_search_status]

# Collection for storing content pack authorships
[itsi_content_pack_authorship]
accelerated_fields.identifying_name_accel = {"identifying_name": 1}
accelerated_fields.mod_timestamp_accel = {"mod_timestamp": 1}

## Collection for storing prior read permissions for feature flagged views. These permissions will be used if the views are later enabled
[itsi_feature_flagging_view_permissions]

## Collection for storing feature flagging state information.
[itsi_feature_flagging_state]
field.mod_time = time

## Collection for storing itsi_event_grouping flag status.
[itsi_event_grouping_status]
field.itsi_event_grouping_flag_value = bool

## Collection for storing entity management policy and rules
[itsi_entity_management_policies]

## Collection for storing custom threshold window objects
[itsi_custom_threshold_windows]

## Collection for storing upgrade readiness precheck jobs
[itsi_upgrade_readiness_prechecks]

## Collection for storing sandbox objects
[itsi_sandbox]

## Collection for storing sandbox service objects
[itsi_sandbox_service]
accelerated_fields.identifying_name_accel = {"identifying_name": 1, "object_type": 1}
accelerated_fields.identifier_values_accel = {"identifier.values": 1, "object_type": 1}
accelerated_fields.objtype_secgrp_accel = {"object_type": 1, "sec_grp": 1}

## Collection for storing service sandbox sync log objects
[itsi_sandbox_sync_log]

## Collection for storing entity level thresholds
[itsi_entity_thresholds]
accelerated_fields.entity_key_accel = {"entity_key": 1}
accelerated_fields.kpi_id_accel = {"kpi_id": 1}
accelerated_fields.entity_title_accel = {"entity_title": 1}
accelerated_fields.identifying_name_accel = {"identifying_name": 1}
accelerated_fields.objtype_secgrp_accel = {"object_type": 1, "sec_grp": 1}

## Collection for storing KPI AT info
[itsi_kpi_at_info]
accelerated_fields.kpi_id_accel ={"_key": 1}
accelerated_fields.adaptive_thresholding_training_window_accel ={"adaptive_thresholding_training_window": 1}

## *************************** End of user-editable area ***************************
## WARNING: lines below till the EOF are auto-generated by build processes. Please don't add any text below this line

## Collection for storing files as base64 encoded strings - shared component
[SA-ITOA_files]

## Collection for storing files as base64 encoded strings - shared component
[SA-ITOA_icon_collection]

## Collection for storing status of deleted retired entities
[itsi_retired_entity_delete_status]

## Collection for storing default data integration templates
[itsi_data_integration_template]

## Collection only used for Data integration
[itsi_data_integration]

## Collection to store the status of the Episode exports
[itsi_event_management_exports]
accelerated_fields.mod_time = {"mod_time": 1}