# This is an example deep_dive_drilldowns.conf. Use this file to
# configure custom drilldowns.
#
# To use one or more of these configurations, copy the configuration block
# into deep_dive_drilldowns.conf in $SPLUNK_HOME/etc/apps/itsi/local.  
# You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see
# the documentation located at
# http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles
#
# This example alert includes showing raw events at selected time buckets, 
# showing raw events from a displayed time range, showing KPI events for 
# a host, and showing all events for a host. 

[Show raw events at selected time bucket]
type = uri
kpi_lane_enabled = true
entity_level_only = false
uri = /app/itsi/search?q=search $kpi.base_search$&earliest=$bucket_earliest$&latest=$bucket_latest$&display.page.search.mode=smart&dispatch.sample_ratio=1
replace_tokens = false

[Show raw events from displayed time range]
type = uri
kpi_lane_enabled = true
entity_level_only = false
uri = /app/itsi/search?q=search $kpi.base_search$&earliest=$earliest$&latest=$latest$&display.page.search.mode=smart&dispatch.sample_ratio=1
replace_tokens = false

[Show kpi events for this host]
type = uri
kpi_lane_enabled = true
entity_level_only = true
replace_tokens = true
entity_tokens = host
uri = /app/itsi/search?q=search $kpi.base_search$ AND host=$entity.host$&earliest=$earliest$&latest=$latest$&display.page.search.mode=smart&dispatch.sample_ratio=1
entity_activation_rules = [ \
    { \
        "rule_condition": "AND",  \
        "rule_items": [ \
            { \
                "field": "host",  \
                "field_type": "alias",  \
                "rule_type": "not",  \
                "value": "" \
            } \
        ] \
    } \
]


[Show ALL events for this host]
type = uri
kpi_lane_enabled = true
entity_level_only = true
replace_tokens = true
entity_tokens = host
uri = /app/itsi/search?q=search index=* host=$entity.host$&earliest=$earliest$&latest=$latest$&display.page.search.mode=smart&dispatch.sample_ratio=1
entity_activation_rules = [ \
    { \
        "rule_condition": "AND",  \
        "rule_items": [ \
            { \
                "field": "host",  \
                "field_type": "alias",  \
                "rule_type": "not",  \
                "value": "" \
            } \
        ] \
    } \
]