You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
48 lines
3.2 KiB
48 lines
3.2 KiB
# Copyright (C) 2005-2025 Splunk Inc. All Rights Reserved.
|
|
|
|
EXPORT_CSV_MAX_BATCH_SIZE = 5000
|
|
EXPORT_CSV_MAX_WORKERS = 10
|
|
EXPORT_CSV_MAX_RESULT_COUNT = 50000
|
|
|
|
# Event Onboarding (EA Data Integration) constants
|
|
EA_DATA_INTEGRATION_METHOD_TYPES = ['INDEXED_DATA']
|
|
EA_DATA_INTEGRATION_INPUT_TYPE = ['regex', 'composition', 'mapping_rule']
|
|
EA_DATA_INTEGRATION_VALID_STATUS = ['active', 'inactive']
|
|
# Title prefix for correlation search created for data integration connection
|
|
EA_DATA_INTEGRATION_CS_TITLE_PREFIX = 'DATA_INTEGRATION_CS-'
|
|
EA_DATA_INT_DEDUP_SEARCH_FOR_RAW_ALERT = ('| eval groupingid=coalesce(groupingid, internal_groupingid) '
|
|
'| eval event_identifier_string=groupingid '
|
|
'| dedup event_identifier_string sortby -_time -severity_id')
|
|
EA_DATA_INT_DEDUP_SEARCH_FOR_NOTABLE_EVENT = ('| join type=left event_identifier_string vendor_severity '
|
|
'[| tstats latest(_time) as _time latest(event_identifier_fields) '
|
|
'as event_identifier_fields max(severity_id) as severity_id where '
|
|
'`itsi_event_management_index` earliest=-59m latest=now by '
|
|
'event_identifier_string, vendor_severity '
|
|
'| dedup event_identifier_string sortby -_time -severity_id '
|
|
'| table _time, event_identifier_string, event_identifier_fields, '
|
|
'vendor_severity] | where isnull(event_identifier_fields)')
|
|
|
|
REF_URL_RETENTION_SEARCH = ('| inputlookup itsi_notable_event_ref_url '
|
|
'| eval ref_url_key=_key '
|
|
'| eval ref_url_event_id=event_id '
|
|
'| eval ref_url_mod_time=mod_time '
|
|
'| lookup itsi_notable_group_system_lookup _key as ref_url_event_id '
|
|
'| where is_active=1 OR is_active=0 '
|
|
'| sort 0 -ref_url_mod_time '
|
|
'| rename ref_url_key as _key '
|
|
'| rename ref_url_event_id as event_id '
|
|
'| rename ref_url_mod_time as mod_time '
|
|
'| fields _key, event_id, mod_time ')
|
|
|
|
EXTERNAL_TICKET_RETENTION_SEARCH = ('| inputlookup itsi_notable_event_external_ticket '
|
|
'| eval ticket_key = _key '
|
|
'| eval ticket_event_id = event_id '
|
|
'| eval ticket_mod_time = mod_time '
|
|
'| lookup itsi_notable_group_system_lookup _key as ticket_event_id '
|
|
'| where is_active=1 OR is_active=0 '
|
|
'| sort 0 -ticket_mod_time '
|
|
'| rename ticket_key as _key '
|
|
'| rename ticket_event_id as event_id '
|
|
'| rename ticket_mod_time as mod_time '
|
|
'| fields _key, event_id, mod_time ')
|