You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
73 lines
3.5 KiB
73 lines
3.5 KiB
[similar_episodes]
|
|
default_fields = ["title"]
|
|
|
|
[common_fields]
|
|
number_of_fields = 50
|
|
|
|
[migration]
|
|
kv_store_batch_size = 10000
|
|
cluster_manager_check_required = 1
|
|
itsi_grouped_alerts_index_lookback = 90
|
|
itsi_grouped_alerts_index_search_wait_time = 7200
|
|
|
|
[precheck]
|
|
kv_store_collection_size_limit = 1050000
|
|
|
|
[tracked_alert]
|
|
sort_notable_events = 0
|
|
|
|
[ingest_service]
|
|
notable_events_batch_size = 10000
|
|
max_retries = 3
|
|
retry_interval = 1
|
|
|
|
[event_onboarding]
|
|
preview_results_limit = 300
|
|
preview_results_search_wait_time = 10
|
|
|
|
[export_csv]
|
|
max_batch_size = 5000
|
|
delete_period = 7
|
|
|
|
[telemetry]
|
|
latency_query = | search `itsi_grouped_alerts_index` OR `itsi_tracked_alerts_index` earliest=-24h | rename _indextime as it\
|
|
| stats earliest(it) as it by index event_id | xyseries event_id index it\
|
|
| search itsi_grouped_alerts=* AND itsi_tracked_alerts=* | eval latency=itsi_grouped_alerts-itsi_tracked_alerts\
|
|
| fields itsi_tracked_alerts latency | bin itsi_tracked_alerts span=10m\
|
|
| stats avg(latency) as eventProcessingLatency
|
|
queue_enabled_query = | rest splunk_server=local /services/configs/conf-app_common_flags/itsi-rulesengine-adhoc\
|
|
| rename disabled as reMode\
|
|
| eval reMode = if(reMode == "0", "Adhoc", "RealTime")\
|
|
| append [\
|
|
| rest splunk_server=local /services/configs/conf-app_common_flags/itsi-rulesengine-queue\
|
|
| rename disabled as reMode\
|
|
| eval reMode = if(reMode == "0", "Queue", "RealTime")\
|
|
]\
|
|
| stats count(eval(reMode="Adhoc")) as AdhocCount, count(eval(reMode="RealTime")) as RealTimeCount, count(eval(reMode="Queue")) as QueueCount\
|
|
| rename QueueCount as queueEnabled\
|
|
| table queueEnabled
|
|
cpu_mem_query = | search index="itsi_nats_metrics" sourcetype="varz" earliest=-24h\
|
|
| eval memInMB=round(mem/1024/1024,2)\
|
|
| stats avg(cpu) as cpuAverage avg(memInMB) as memAverage
|
|
backfill_rate_query = | search index="itsi_nats_metrics" sourcetype="jsz" earliest=-24h\
|
|
| spath input=_raw path=account_details{}.stream_detail{}.consumer_detail{}.num_pending output=num_pending\
|
|
| stats sum(num_pending) as numPending\
|
|
| eval eventsBackfilledPerMinute = numPending/1440\
|
|
| table eventsBackfilledPerMinute
|
|
events_processed_rate_query = | search index="_internal" source="*itsi_rules_engine*" earliest=-24h | search NOT reMode IN ("Preview") EventId Status\
|
|
| stats count(eval(searchmatch("Status=Received PolicyExecutor"))) as totalEventsProcessed\
|
|
| eval eventsProcessedPerMinute = totalEventsProcessed/1440\
|
|
| table eventsProcessedPerMinute
|
|
messages_pushed_to_nats_rate_query = | search index="itsi_nats_metrics" sourcetype="jsz" earliest=-24h\
|
|
| sort _time\
|
|
| spath input=_raw path=account_details{}.stream_detail{}.state.last_seq output=nats_messages_in\
|
|
| streamstats current=f last(nats_messages_in) as last_nats_messages_in\
|
|
| eval messages_in_data = if(nats_messages_in > last_nats_messages_in, nats_messages_in - last_nats_messages_in, 0)\
|
|
| table _time,messages_in_data\
|
|
| stats sum(messages_in_data) as messageSum\
|
|
| eval eventsIngestedPerMinute = messageSum/1440\
|
|
| table eventsIngestedPerMinute
|
|
rules_engine_start_stop_query = | search index="_internal" source="*itsi_rules_engine*" RulesEngineTask reMode earliest=-24h\
|
|
| stats count(eval(searchmatch("RulesEngineTask=RealTimeSearch OR RulesEngineTask=QueueProcessing Status=Started"))) AS "rulesEngineStarted"\
|
|
count(eval(searchmatch("RulesEngineTask=RealTimeSearch OR RulesEngineTask=QueueProcessing Status=Stopped"))) AS "rulesEngineStopped"\
|
|
| table rulesEngineStarted, rulesEngineStopped |