admingit
/
SH-Deployer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
SH-Deployer/apps/itsi/default/savedsearches.conf

1310 lines
74 KiB
Raw Permalink Blame History

################################
# Health score computation
################################
[service_health_monitor]
action.summary_index = 1
action.summary_index._name = itsi_summary
auto_summarize.dispatch.earliest_time = -45m
cron_schedule = 0-59/1 * * * *
description = Summarizes the health of all services.
dispatch.earliest_time = -45m
enableSched = 1
search = `get_itsi_summary_index` `service_level_max_severity_event_only` | stats latest(urgency) AS urgency latest(alert_level) AS alert_level latest(alert_severity) as alert_name latest(service) AS service latest(is_service_in_maintenance) AS is_service_in_maintenance latest(kpi) AS kpi by kpiid, serviceid | gethealth | `gettime`
# Metric version of service_health_monitor search. Searches and aggregates against results in metrics index
# NOTE: Cannot use "action.summary_index" to pipe results into itsi_summary_metrics until minimum version of Splunk
# compatibility is 8.x. Instead, use a custom alert_action that wraps the main mcollect macro
[service_health_metrics_monitor]
action.itsi_summary_metrics_collect = 1
cron_schedule = * * * * *
description = Summarizes the health of all services.
dispatch.earliest_time = -45m
enableSched = 1
search = | mstats latest(alert_level) AS alert_level WHERE `get_itsi_summary_metrics_index` AND \
`service_level_max_severity_metric_only` by itsi_kpi_id, itsi_service_id\
| lookup kpi_alert_info_lookup alert_level OUTPUT severity_label AS alert_name | `mark_services_in_maintenance`\
| `join_kpi_info(itsi_kpi_id)` | `reorganize_metrics_healthscore_results` | gethealth | `get_info_time_without_sid`\
| lookup service_kpi_lookup _key AS itsi_service_id OUTPUT sec_grp AS itsi_team_id\
| fields - alert_severity, color, kpi, kpiid, serviceid, severity_label, severity_value\
| rename health_score AS service_health_score | eval is_null_alert_value=if(service_health_score="N/A", 1, 0), \
service_health_score=if(service_health_score="N/A", 0, service_health_score)
[Monitor Critical Services Based on Health Score]
action.email.format = pdf
action.itsi_event_generator = 1
action.itsi_event_generator.param.description = %service_name% is currently in %severity_label% with a value of %severity_value% at %actual_time%
action.itsi_event_generator.param.drilldown_search_earliest_offset = -300
action.itsi_event_generator.param.drilldown_search_latest_offset = 300
action.itsi_event_generator.param.drilldown_search_search = `service_health_data` %itsi_service_id%
action.itsi_event_generator.param.drilldown_search_title = %service_name% health
action.itsi_event_generator.param.drilldown_title = Drilldown to %service_name% health score
action.itsi_event_generator.param.drilldown_uri = /app/itsi/service_detail?serviceId=%itsi_service_id%&earliest=rt-24h&latest=rtnow&kpiId=%kpiid%
action.itsi_event_generator.param.editor = advance_correlation_builder_editor
action.itsi_event_generator.param.meta_data = {}
action.itsi_event_generator.param.owner = unassigned
action.itsi_event_generator.param.search_type = basic
action.itsi_event_generator.param.severity = 4
action.itsi_event_generator.param.status = 0
action.itsi_event_generator.param.title = %service_name% is in %severity_label% - %severity_value%
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = */1 * * * *
description = Monitor Critical service in the environment.
disabled = 1
dispatch.earliest_time = -1m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
search = `service_health_data` alert_level=6 | rename serviceid as itsi_service_id | rename kpiid as itsi_kpi_id | rename kpi as kpi_name| lookup service_kpi_lookup _key as itsi_service_id OUTPUT title | rename title as service_name | eval actual_time=_time | convert ctime(actual_time) as actual_time
##################################################################################################################################
# Disabled Kpis health score generation. The search populates the summary index with 'disabled' state values for all disabled kpis.
##################################################################################################################################
[disabled_kpis_healthscore_generator]
action.summary_index = 1
action.summary_index._name = itsi_summary
auto_summarize.dispatch.earliest_time = -1m
cron_schedule = */1 * * * *
description = Generates Disabled state values for all disabled KPIs.
dispatch.earliest_time = -1m
enableSched = 1
search = | inputlookup disabled_service_kpi_lookup | rename _key as serviceid title as service_name | eval kpi_info_tmp = mvzip('kpis._key', 'kpis.title', "==@@=="), kpi_info = mvzip(kpi_info_tmp, 'kpis.urgency', "==@@==") | fields kpi_info service_name serviceid enabled | mvexpand kpi_info | rex field=kpi_info "(?<kpiid>.+)==@@==(?<kpi_name>.+)==@@==(?<kpi_urgency>.+)" | fields - kpi_info | where kpi_name!="ServiceHealthScore" | eval search_name="Indicator-Disabled_kpis- ITSI search",entity_key="service_aggregate", entity_title="service_aggregate",is_service_aggregate=1,is_service_max_severity_event="1,0",alert_value="N/A", alert_level=-3, alert_severity="disabled", alert_period=5, alert_color="#CCCCCC", urgency=kpi_urgency, gs_kpi_id=kpiid, gs_service_id=serviceid, itsi_kpi_id=kpiid, indexed_itsi_kpi_id=kpiid, indexed_itsi_service_id=serviceid, is_entity_defined=0, itsi_service_id=serviceid, kpi=kpi_name, color=alert_color, indexed_is_service_aggregate=is_service_aggregate | makemv is_service_max_severity_event delim="," | mvexpand is_service_max_severity_event | Convert num(is_service_max_severity_event) | eval indexed_is_service_max_severity_event=is_service_max_severity_event
[disabled_kpis_healthscore_generator_metrics]
action.itsi_summary_metrics_collect = 1
cron_schedule = */1 * * * *
description = Generates Disabled state values for all disabled KPIs into the metrics summary index.
dispatch.earliest_time = -1m
enableSched = 1
search = | inputlookup disabled_service_kpi_lookup | rename _key as itsi_service_id, sec_grp AS itsi_team_id \
| eval kpi_info_tmp = mvzip('kpis._key', 'kpis.title', "==@@=="), \
kpi_info = mvzip(kpi_info_tmp, 'kpis.urgency', "==@@==") | fields kpi_info, itsi_service_id, itsi_team_id \
| mvexpand kpi_info | rex field=kpi_info "(?<itsi_kpi_id>.+)==@@==(?<kpi_name>.+)==@@==(?<kpi_importance>.+)" \
| where kpi_name!="ServiceHealthScore" \
| eval search_name="Indicator-Disabled_kpis- ITSI search", entity_key="service_aggregate", is_service_aggregate=1, \
is_service_max_severity_event="1,0", is_service_disabled=1, alert_value=0, alert_level=-3, alert_period=5, \
is_entity_defined=0, is_null_alert_value=1, kpi=kpi_name | fields - kpi_info, kpi_name \
| makemv is_service_max_severity_event delim="," \
| mvexpand is_service_max_severity_event | convert num(is_service_max_severity_event)
#######################################################
# Splunk App for Infrastructure Alerts Integration
#######################################################
[Splunk App for Infrastructure Alerts]
action.email.format = pdf
action.itsi_event_generator = 1
action.itsi_event_generator.param.description = %itsiNotableTitle% %metric_name% alert imported from Splunk App for Infrastructure
action.itsi_event_generator.param.drilldown_search_earliest_offset = -480
action.itsi_event_generator.param.drilldown_search_latest_offset = 480
action.itsi_event_generator.param.drilldown_search_search = %itsiDrilldownSearch%
action.itsi_event_generator.param.drilldown_search_title = %itsiNotableTitle% Search
action.itsi_event_generator.param.drilldown_title = %itsiNotableTitle% Analysis in Splunk App for Infrastructure
action.itsi_event_generator.param.drilldown_uri = %itsiDrilldownURI%
action.itsi_event_generator.param.editor = advance_correlation_builder_editor
action.itsi_event_generator.param.meta_data = {}
action.itsi_event_generator.param.owner = unassigned
action.itsi_event_generator.param.search_type = basic
action.itsi_event_generator.param.severity = %itsiSeverity%
action.itsi_event_generator.param.status = 1
action.itsi_event_generator.param.entity_lookup_field = itsiInstance
action.itsi_event_generator.param.title = %itsiNotableTitle% %metric_name% %state_change%d
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = */1 * * * *
description = Import alerts from Splunk App for Infrastructure.
disabled = 0
dispatch.earliest_time = -8m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
search = index=infra_alerts AND current_state!=None | rex "entity_id=\"(?<entity_id>.*?)\"," | eval urlencoded_entity_id=entity_id | rex field=urlencoded_entity_id mode=sed "s:=:\\%3D:g" | eval itsiAlert=search_name | eval itsiInstance=entity_title | eval itsiSubInstance=if(isnull(itsiSubInstance), "-", itsiSubInstance) | eval itsiRawStatus=current_state | eval itsiSeverity=case(current_state = "1", 2, current_state="3", 4, current_state = "5", 6, 1=1, 1) | eval itsiDetails = state_change + ": " + identifier_dimensions + " " + metric_name + " current value is " + current_value | eval itsiDrilldownURI=if(isnull(entity_title), "/app/splunk_app_infrastructure/metrics_analysis?" + managed_by_type + "=" + managed_by_id + "&alert_name=" + ss_id + "&aggregation_type=" + aggregation_method + "&tab=ANALYSIS","/app/splunk_app_infrastructure/metrics_analysis?entity=" + urlencoded_entity_id + "&tab=ANALYSIS") | eval itsiDrilldownSearch=if(isnull(entity_title), "index=infra_alerts current_state!=None managed_by_id=" + managed_by_id, "index=infra_alerts current_state!=None search entity_id=" + urlencoded_entity_id) | eval itsiNotableTitle=if(isnull(entity_title), ss_id, entity_title) | eval sec_grp=default_itsi_security_group | `filter_maintenance_entities`
##############################################################
# ITSI Normalized Correlation Search for Normalized Fields
##############################################################
[Normalized Correlation Search]
action.email.format = pdf
action.itsi_event_generator = 1
action.itsi_event_generator.param.description = %itsiDetails%
action.itsi_event_generator.param.drilldown_search_earliest_offset = -300
action.itsi_event_generator.param.drilldown_search_latest_offset = 300
action.itsi_event_generator.param.drilldown_search_search = itsiInstance="%itsiInstance%" itsiAlert="%itsiAlert%"
action.itsi_event_generator.param.drilldown_search_title = Show Alerts
action.itsi_event_generator.param.editor = advance_correlation_builder_editor
action.itsi_event_generator.param.meta_data = {}
action.itsi_event_generator.param.owner = unassigned
action.itsi_event_generator.param.search_type = basic
action.itsi_event_generator.param.severity = %itsiSeverity%
action.itsi_event_generator.param.status = 1
action.itsi_event_generator.param.entity_lookup_field = tmp_entity
action.itsi_event_generator.param.title = %itsiAlert% - %itsiInstance% (%itsiSubInstance%) is %itsiRawStatus%
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = */1 * * * *
description = Correlation search on ITSI normalized fields
disabled = 1
dispatch.earliest_time = -1m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
search = itsiInstance=* itsiAlert=* itsiSeverity=* | eval itsiSubInstance=if(isnull(itsiSubInstance), "-", itsiSubInstance) | eval itsiDetails = if(isnull(itsiDetails), "no details", itsiDetails) | eval itsiRawStatus = if(isnull(itsiRawStatus), "unknown", itsiRawStatus) | sort itsiInstance itsiSubInstance itsiAlert -_time itsiSeverity | dedup consecutive=true itsiInstance itsiSubInstance itsiAlert itsiSeverity | eval tmp_entity=itsiInstance | `apply_entity_lookup(tmp_entity)`
[SNMP Traps]
action.email.format = pdf
action.email.includeEntities = 0
action.itsi_event_generator = 1
action.itsi_event_generator.param.description = %node%:%Description%
action.itsi_event_generator.param.drilldown_search_earliest_offset = -300
action.itsi_event_generator.param.drilldown_search_latest_offset = 300
action.itsi_event_generator.param.drilldown_search_search = index=snmptrapd
action.itsi_event_generator.param.drilldown_search_title = Node details
action.itsi_event_generator.param.editor = advance_correlation_builder_editor
action.itsi_event_generator.param.meta_data = {}
action.itsi_event_generator.param.owner = unassigned
action.itsi_event_generator.param.search_type = basic
action.itsi_event_generator.param.severity = 1
action.itsi_event_generator.param.status = 1
action.itsi_event_generator.param.title = %node%:%Description%
alert.suppress = 0
alert.track = 0
disabled = 1
counttype = number of events
cron_schedule = */1 * * * *
dispatch.earliest_time = -1m
dispatch.latest_time = @m
enableSched = 1
quantity = 0
relation = greater than
search = index=snmptrapd
###############################################################
# ITSI Bidirectional Ticketing Correlation Search
###############################################################
[Bidirectional Ticketing]
action.email.format = pdf
action.email.includeEntities = 0
action.itsi_event_generator = 1
action.itsi_event_generator.param.drilldown_search_earliest_offset = -300
action.itsi_event_generator.param.drilldown_search_latest_offset = 300
action.itsi_event_generator.param.editor = advance_correlation_builder_editor
action.itsi_event_generator.param.meta_data = {}
action.itsi_event_generator.param.owner = unassigned
action.itsi_event_generator.param.search_type = basic
action.itsi_event_generator.param.severity = 1
action.itsi_event_generator.param.status = 1
action.itsi_event_generator.param.title = Ticket Event
alert.suppress = 0
alert.track = 0
disabled = 1
counttype = number of events
cron_schedule = */1 * * * *
dispatch.earliest_time = -30m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
search = | `itsi_bidirectional_ticketing(main,90,itsi_tracked_alerts)`
###############################################################
# BMC Remedy Bidirectional Ticketing Correlation Search
###############################################################
[BMC Remedy Bidirectional Ticketing]
action.email.format = pdf
action.email.includeEntities = 0
action.itsi_event_generator = 1
action.itsi_event_generator.param.drilldown_search_earliest_offset = -300
action.itsi_event_generator.param.drilldown_search_latest_offset = 300
action.itsi_event_generator.param.editor = advance_correlation_builder_editor
action.itsi_event_generator.param.meta_data = {}
action.itsi_event_generator.param.owner = unassigned
action.itsi_event_generator.param.search_type = basic
action.itsi_event_generator.param.severity = 1
action.itsi_event_generator.param.status = 1
action.itsi_event_generator.param.title = Ticket Event
alert.suppress = 0
alert.track = 0
disabled = 1
counttype = number of events
cron_schedule = */1 * * * *
dispatch.earliest_time = -30m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
search = | `itsi_bmc_bidirectional_ticketing(main,90,itsi_tracked_alerts)`
###############################################################
# ITSI Jira Bidirectional Ticketing Correlation Search
###############################################################
[Jira Bidirectional Ticketing]
action.email.format = pdf
action.email.includeEntities = 0
action.itsi_event_generator = 1
action.itsi_event_generator.param.drilldown_search_earliest_offset = -300
action.itsi_event_generator.param.drilldown_search_latest_offset = 300
action.itsi_event_generator.param.editor = advance_correlation_builder_editor
action.itsi_event_generator.param.meta_data = {}
action.itsi_event_generator.param.owner = unassigned
action.itsi_event_generator.param.search_type = basic
action.itsi_event_generator.param.severity = 1
action.itsi_event_generator.param.status = 1
action.itsi_event_generator.param.title = Ticket Event
alert.suppress = 0
alert.track = 0
disabled = 1
counttype = number of events
cron_schedule = */1 * * * *
dispatch.earliest_time = -30m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
search = | `itsi_jira_bidirectional_ticketing(main,90,itsi_tracked_alerts)`
#######################
# Drift Detection
#######################
[itsi_kpi_drift_detection]
disabled = 0
cron_schedule = 0 2 * * 6
dispatch.earliest_time = -1d
dispatch.latest_time = now
enableSched = 1
search = | batchdetectdrift
###############################################################
# ITSI High Scale EA backfill Correlation Search
###############################################################
[High Scale EA Backfill]
action.itsi_event_generator = 1
action.itsi_event_generator.param.title = %source%
action.itsi_event_generator.param.search_type = basic
disabled = 1
cron_schedule = */1 * * * *
dispatch.earliest_time = -30m
dispatch.latest_time = now
enableSched = 1
search = `high_scale_ea_backfill(60)`
#######################################################
# ITSI Telemetry
#######################################################
# This search gives the count of knowledge objects:
# From itoa_interface
# - teams including Global team
# - entities
# - services
# - total count
# - count of services linked to a service template
# - count of services not in the global team
# - count of services dependencies
# - KPIs
# - KPIs total count
# - KPIs using ad-hoc searches count
# - KPIs using shared base searches count
# - KPIs using data model count
# - KPIs using metrics count
# - KPIs calculation window usage
# - calculation window 1 minute (count of KPIs)
# - calculation window 5 minutes (count of KPIs)
# - calculation window 15 minutes (count of KPIs)
# - service templates
# - KPI base searches including the pre-package KPI base searches from the ITSI modules
# - deep dives (total count, count of private, count of shared in app)
# - glass tables (total count, count of private, count of shared in app)
# - home views (service analyzer) including the default Service Analyzer (total count, count of private, count of shared in app)
# - KPI templates
# - KPI threshold templates including the pre-package KPI threshold templates from the ITSI modules
# - event management states (total count, count of private, count of shared in app)
# - entity types
# - entity management policies
# - entity management rules
# - content packs
# - custom threshold windows
# - authored content packs
# From event_management_interface
# - correlation searches
# - notable event aggregation policy including the default NEAP
# From maintenance_services_interface
# - maintenance windows
[Audit - Knowledge Objects Counts]
action.email.sendresults = 0
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.knowledgeObjectsCounts
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
alert.track = false
counttype = number of events
relation = greater than
quantity = 0
cron_schedule = 0 0 * * *
description = Sends anonymous usage statistics about number of knowledge objects.
disabled = 0
dispatch.latest_time = +0s
enableSched = 1
is_visible = false
request.ui_dispatch_app = ITSI
schedule_window = auto
search = | rest /servicesNS/nobody/-/itoa_interface/service/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.services.totalCount\
| append [ | rest /servicesNS/nobody/-/itoa_interface/entity/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.entities.totalCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/entity_type/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.entityTypes.totalCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/entity_management_policies/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.entityManagementPolicies.totalCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/entity_management_rules/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.entityManagementRules.totalCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/custom_threshold_windows/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.customThresholdWindows.totalCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/team/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.teams.totalCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/base_service_template/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.serviceTemplates.totalCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/kpi_base_search/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.kpiBaseSearches.totalCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/deep_dive/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.deepDives.totalCount]\
| append[ | rest /servicesNS/nobody/-/itoa_interface/deep_dive report_as=text fields="acl.sharing,_key"\
| spath input=value | rename {}.acl.sharing as sharing | rename {}._key as key | mvexpand sharing\
| stats count(eval(sharing = "app")) as data.knowledgeObjects.deepDives.publicCount,\
count(eval(sharing = "user")) as data.knowledgeObjects.deepDives.privateCount]\
| append [| rest /servicesNS/nobody/-/itoa_interface/content_pack/status | spath input=value output=event "{}"\
| mvexpand event| spath input=event output=key "_key"\
| table key | eval key=if(match(key, "DA-ITSI-CP-CUST-*"), "DA-ITSI-CP-CUST-".sha256(key), key) \
| eval data.knowledgeObjects.contentPacks.{key}=1 | where 'key'!=""\
| appendpipe [ | stats count as data.knowledgeObjects.contentPacks.totalCount] | fields - key]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/glass_table/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.glassTables.totalCount]\
| append[ | rest /servicesNS/nobody/-/itoa_interface/glass_table report_as=text fields="acl.sharing,_key"\
| spath input=value | rename {}.acl.sharing as sharing | rename {}._key as key | mvexpand sharing\
| stats count(eval(sharing = "app")) as data.knowledgeObjects.glassTables.publicCount,\
count(eval(sharing = "user")) as data.knowledgeObjects.glassTables.privateCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/home_view/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.homeViews.totalCount]\
| append[ | rest /servicesNS/nobody/-/itoa_interface/home_view report_as=text fields="acl.sharing,_key"\
| spath input=value | rename {}.acl.sharing as sharing | rename {}._key as key | mvexpand sharing\
| stats count(eval(sharing = "app")) as data.knowledgeObjects.homeViews.publicCount,\
count(eval(sharing = "user")) as data.knowledgeObjects.homeViews.privateCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/kpi_template/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.kpiTemplates.totalCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/kpi_threshold_template/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.kpiThresholdTemplates.totalCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/event_management_state/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.eventManagementStates.totalCount]\
| append[ | rest /servicesNS/nobody/-/itoa_interface/event_management_state report_as=text fields="acl.sharing,_key"\
| spath input=value | rename {}.acl.sharing as sharing | rename {}._key as key | mvexpand sharing\
| stats count(eval(sharing = "app")) as data.knowledgeObjects.eventManagementStates.publicCount,\
count(eval(sharing = "user")) as data.knowledgeObjects.eventManagementStates.privateCount]\
| append [ | rest /servicesNS/nobody/-/event_management_interface/correlation_search/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.correlationSearches.totalCount]\
| append [ | rest /servicesNS/nobody/-/event_management_interface/notable_event_aggregation_policy/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.notableEventAggregationPolicies.totalCount]\
| append [ | rest /servicesNS/nobody/-/maintenance_services_interface/maintenance_calendar/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.maintenanceWindows.totalCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/content_pack_authorship/content_pack/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.authoredContentPacks.totalCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/sandbox_service/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.sandboxServices.totalCount]\
| append [ | rest /servicesNS/nobody/-/itoa_interface/sandbox/count report_as=text\
| spath input=value | table count | rename count as data.knowledgeObjects.sandboxes.totalCount]\
| append [ | savedsearch service_level_telemetry\
| eval sltp = if(base_template_id = "", 0, 1)\
| eval snig = if(sec_grp = "default_itsi_security_group", 0, 1) | addcoltotals | tail 1\
| table total_kpis, adhoc_count, sbs_count, dm_count, metric_count, depend_service, sltp, snig\
| rename sltp as data.knowledgeObjects.services.servicesLinkedToATemplate\
| rename snig as data.knowledgeObjects.services.servicesNotInGlobal\
| rename total_kpis as data.knowledgeObjects.services.kpis.totalCount\
| rename dm_count as data.knowledgeObjects.services.kpis.dataModelCount\
| rename sbs_count as data.knowledgeObjects.services.kpis.sharedBaseSearchCount\
| rename adhoc_count as data.knowledgeObjects.services.kpis.adhocCount\
| rename metric_count as data.knowledgeObjects.services.kpis.metricsCount\
| rename depend_service as data.knowledgeObjects.services.dependServicesCount ]\
| stats first(*) as * | fillnull | makejson version(string),data.* output=event | table event
[Telemetry: Custom Threshold Windows]
search = | savedsearch custom_threshold_windows_telemetry \
| rename cron_schedule as data.cron_schedule \
| rename duration as data.duration \
| rename linked_kpis_count as data.linked_kpis_count \
| makejson version(string),data.* output=event | table event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.customThresholdWindows
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 1 3 * * *
dispatch.earliest_time = -1d
[Telemetry: Performance metrics]
search = index=_internal sourcetype=itsi_internal_log tid transaction_time \
| table method, transaction_time, metric_info* \
| eval params_summary = "" \
| foreach metric_info_* \
[ eval "<<FIELD>>"=coalesce('<<FIELD>>', "NULL") \
| eval params_summary=params_summary.if(<<FIELD>>=="NULL", "", "<<MATCHSTR>>"."=".<<FIELD>>.";")] \
| eval params_summary=rtrim(params_summary, ";") \
| stats sum(transaction_time) as data.cumulativeTime, avg(transaction_time) as data.averageTime, median(transaction_time) as data.medianTime, perc90(transaction_time) as data.p90Time, count as data.numberOfTransactions by method, params_summary \
| eval params_split=split(params_summary, ";") \
| mvexpand params_split \
| rex field=params_split "(?<key>.*)=(?<value>.*)" \
| eval data.{key}=value \
| fields - key, value \
| stats values(*) as * by method, params_summary \
| rename method as data.method \
| makejson data.* output=event \
| eval event=replace(event,"\"\S+?\": \"\",", "") \
| eval event=replace(event,", *\"\S+?\": \"\"}", "}")
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.performanceMetrics
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 1 3 * * *
dispatch.earliest_time = -1d
[Telemetry: Content Packs]
search = | rest splunk_server=local /servicesNS/nobody/-/itoa_interface/content_pack/status | spath input=value output=event "{}"\
| mvexpand event\
| spath input=event output=data.contentPacks._key "_key"\
| spath input=event output=data.contentPacks.installed_versions "installed_versions{}"\
| makejson data.* output=event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.contentPacks
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 5 3 * * *
dispatch.earliest_time = -1d
[Telemetry: Entity Normalization Generate Results]
search = | inputlookup itsi_duplicate_entities_job_queue \
| search mod_source="user_generated" OR mod_source="search_command" \
| search status != "NEW" OR status != "IN_PROGRESS" \
| eval processing_time_in_minutes = if(isnull(complete_timestamp) OR isnull(create_time), -1, \
(tonumber(complete_timestamp) - tonumber(create_time)) / 60) \
| rename * as data.* \
| makejson data.* output=event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.entityNormalizationGeneration
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 0 3 * * *
dispatch.earliest_time = -1d
[Telemetry: AT Usage]
search = | rest /servicesNS/nobody/-/at_usage_data report_as=text | rename value as event | table event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.ATUsage
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 5 3 * * *
dispatch.earliest_time = -1d
[Telemetry: Event Onboarding Usage]
search = | rest /servicesNS/nobody/-/event_management_interface/telemetry/event_onboarding | rename value as event | table event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.EAEventOnboarding
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 5 3 * * *
dispatch.earliest_time = -1d
[Telemetry: Nats Usage]
search = | rest /servicesNS/nobody/-/event_management_interface/telemetry/nats | rename value as event | table event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.EANats
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 5 3 * * *
dispatch.earliest_time = -1d
[Telemetry: Count of entities by entity type]
search = | rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text fields="title,entity_type_ids" \
| eval value=trim(replace(value, "\n", "")) \
| eval value="{\"content\":".value."}" \
| spath input=value output=entities "content{}" \
| table entities \
| mvexpand entities \
| spath input=entities output=title path="title" \
| spath input=entities output=entity_type_ids path="entity_type_ids{}" \
| fillnull value="None" entity_type_ids \
| stats count by entity_type_ids \
| eval entity_type_ids=case( \
[ rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity_type report_as=text fields="_key,_is_from_conf" \
| eval value=trim(replace(value, "\n", "")) \
| eval value="{\"content\":".value."}" \
| spath input=value output=entity_type "content{}" \
| mvexpand entity_type \
| spath input=entity_type output=entity_type_ids "_key" \
| spath input=entity_type output=is_from_conf "_is_from_conf" \
| search is_from_conf=1 \
| table entity_type_ids], entity_type_ids, entity_type_ids="None", entity_type_ids, true(), sha256(entity_type_ids)) \
| rename entity_type_ids as data.entityTypeIds, count as data.countOfAssociatedEntities \
| makejson data.* output=event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.entityTypes
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 2 3 * * *
dispatch.earliest_time = -1d
[Telemetry: Entity Lifecycle Management]
search = | rest /servicesNS/nobody/-/itoa_interface/entity report_as=text \
| eval value=trim(replace(value, "\n", "")) \
| eval value="{\"content\":".value."}" \
| spath input=value output=retired path="content{}.retired" \
| spath input=value output=retirable path="content{}.retirable" \
| fillnull value=0 retirable, retired \
| stats sum(retirable) as retirable, sum(retired) as retired \
| eval count_of_entities = retired + retirable \
| rename retirable AS data.countOfRetirableEntities, retired AS data.countOfRetiredEntities, \
count_of_entities AS data.countOfEntitiesUnderManagement \
| append \
[| rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity_management_policies report_as=text \
| eval value=trim(replace(value, "\n", "")) \
| eval value="{\"content\":".value."}" \
| spath input=value output=entity_type_ids path="content{}.entity_type_ids{}" \
| spath input=value output=disabled path="content{}.disabled" \
| spath input=value output=key path="content{}._key" \
| spath input=value output=period path="content{}.entity_retire_period" \
| spath input=value output=schedule path="content{}.entity_retire_schedule" \
| spath input=value output=autoretire path="content{}.auto_retire" \
| fillnull \
| stats sum(disabled) as count_of_disabled_policies, count(key) as count_of_policies, \
sum(autoretire) as count_of_autoretire_policies, \
dc(entity_type_ids) as count_of_entity_types, list(schedule) AS schedule, list(period) AS period \
| eval policy_schedule=mvzip(period, schedule) \
| mvexpand policy_schedule \
| eval policy_schedule=split(policy_schedule, ",") \
| eval period=mvindex(policy_schedule,0), schedule=mvindex(policy_schedule,1), \
duration=if(schedule=="days", period * 24, period) \
| stats last(count_of_disabled_policies) as count_of_disabled_policies, \
last(count_of_policies) as count_of_policies, \
last(count_of_autoretire_policies) as count_of_autoretire_policies, \
last(count_of_entity_types) as count_of_entity_types, \
avg(duration) AS avg_policy_lookback \
| fillnull value=0 count_of_disabled_policies, count_of_policies, count_of_autoretire_policies, \
count_of_entity_types, avg_policy_lookback \
| eval count_of_enabled_policies=count_of_policies-count_of_disabled_policies \
| fields - count_of_policies \
| rename count_of_entity_types AS data.countOfEntityTypesUnderManagement, \
count_of_enabled_policies AS data.countOfEnabledEntityManagementPolicies, \
count_of_autoretire_policies AS data.countOfAutoRetireEntityManagementPolicies, \
count_of_disabled_policies AS data.countOfDisabledEntityManagementPolicies, \
avg_policy_lookback AS data.avgPolicyLookbackPeriod ] \
| stats first(*) as * \
| fillnull \
| makejson version(string),data.* output=event \
| table event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.entityLifecycleManagement
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 2 3 * * *
dispatch.earliest_time = -1d
[Telemetry: Entity type-to-entity ratio]
search = | rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text fields="title,entity_type_ids" \
| eval value=trim(replace(value, "\n", "")) \
| eval value="{\"content\":".value."}" \
| spath input=value output=title path="content{}.title" \
| spath input=value output=entity_type_ids path="content{}.entity_type_ids{}" \
| stats count(title) as number_of_entities, dc(entity_type_ids) as number_of_entity_types \
| eval data.entityTypeToEntityRatio=number_of_entity_types/number_of_entities \
| rename number_of_entities as data.numberOfEntities, number_of_entity_types as data.numberOfEntityTypes \
| makejson data.* output=event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.entityTypeToEntityRatio
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 3 3 * * *
dispatch.earliest_time = -1d
[Telemetry: Service-to-entity ratio]
search = | rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text fields="title,services" \
| eval value=trim(replace(value, "\n", "")) \
| eval value="{\"content\":".value."}" \
| spath input=value output=title path="content{}.title" \
| spath input=value output=services path="content{}.services{}" \
| stats dc(services) as number_of_services, count(title) as number_of_entities \
| eval data.serviceToEntityRatio=number_of_services/number_of_entities \
| rename number_of_entities as data.numberOfEntities, number_of_services as data.numberOfServices \
| makejson data.* output=event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.serviceToEntityRatio
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 3 3 * * *
dispatch.earliest_time = -1d
[Telemetry: KPI-to-entity ratio]
search = | inputlookup itsi_entity_filter_rules_lookup where entity_info.alias_value=* \
| mvexpand entity_info.alias_value \
| fillnull kpi_id \
| stats count(entity_info.alias_value) as number_of_entities by kpi_id \
| stats count(kpi_id) as number_of_kpis, sum(number_of_entities) as number_of_entities \
| eval number_of_kpis=number_of_kpis - 1 \
| eval data.kpiToEntityRatio=number_of_kpis/number_of_entities \
| rename number_of_kpis as data.numberOfKpis, number_of_entities as data.numberOfEntities \
| makejson data.* output=event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.kpiToEntityRatio
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 3 3 * * *
dispatch.earliest_time = -1d
[Telemetry: Shared base search-to-entity ratio]
search = | inputlookup itsi_entity_filter_rules_lookup where entity_info.alias_value=* \
| mvexpand entity_info.alias_value \
| fillnull base_search_id \
| stats count(entity_info.alias_value) as number_of_entities by base_search_id \
| stats count(base_search_id) as number_of_base_searches, sum(number_of_entities) as number_of_entities \
| eval base_search_id=base_search_id - 1 \
| eval data.sharedBaseSearchToEntityRatio=number_of_base_searches/number_of_entities \
| rename number_of_base_searches as data.numberOfSharedBaseSearches, number_of_entities as data.numberOfEntities \
| makejson data.* output=event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.sharedBaseSearchToEntityRatio
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 4 3 * * *
dispatch.earliest_time = -1d
[Telemetry: Service-associated entity-to-service-unassociated entity ratio]
search = | rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text fields="title,services" \
| eval value=trim(replace(value, "\n", "")) \
| eval value="{\"content\":".value."}" \
| spath input=value output=entities path="content{}" \
| table entities \
| mvexpand entities \
| spath input=entities output=services path="services{}" \
| nomv services \
| fillnull value="{}" services \
| stats dc(entities) as number_of_entities by services \
| eval is_service_associated=if(services == "{}", 0, number_of_entities) \
| eval is_service_unassociated=if(services == "{}", number_of_entities, 0) \
| stats sum(is_service_associated) as service_associated_entities, sum(is_service_unassociated) as service_unassociated_entities \
| eval data.serviceAssociatedEntityToServiceUnassociatedEntityRatio=service_associated_entities/service_unassociated_entities \
| rename service_associated_entities as data.numberOfServiceAssociatedEntities, service_unassociated_entities as data.numberOfServiceUnassociatedEntities \
| makejson data.* output=event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.serviceAssociatedEntityToServiceUnassociatedEntityRatio
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 4 3 * * *
dispatch.earliest_time = -1d
[Telemetry: Roles by user]
search = | rest splunk_server=local /services/authentication/users \
| table title, roles \
| eval \
[| rest splunk_server=local /servicesNS/nobody/splunk_instrumentation/telemetry \
| table telemetrySalt \
| format \
| rex field=search mode=sed "s/[()]//g"] \
| eval data.user=sha256(telemetrySalt + title) \
| mvexpand roles \
| eval roles=case(in(roles, "admin", "sc_admin", "power", "user", "itoa_admin", "itoa_team_admin", "itoa_analyst", \
"itoa_user"), roles, true(), sha256(telemetrySalt + roles)) \
| mvcombine roles \
| eval combined_roles=mvjoin(roles, ";") \
| stats dc(data.user) as num_of_users by combined_roles \
| eval roles=split(combined_roles, ";") \
| rename roles as data.roles, num_of_users as data.numOfUsers \
| makejson data.* output=event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.rolesByUser
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 4 3 */7 * *
dispatch.earliest_time = -1d
[Telemetry: Vital metrics by entity type]
search = | rest /servicesNS/nobody/SA-ITOA/itoa_interface/entity_type report_as=text fields="_key,_is_from_conf,vital_metrics" \
| eval value=trim(replace(value, "\n", "")) \
| eval value="{\"content\":".value."}" \
| spath input=value output=entity_type_data "content{}" \
| mvexpand entity_type_data \
| spath input=entity_type_data output=vital_metrics "vital_metrics{}.metric_name" \
| spath input=entity_type_data output=is_from_conf "_is_from_conf" \
| spath input=entity_type_data output=entity_type "_key" \
| table entity_type, is_from_conf, vital_metrics \
| eval entity_type=case(is_from_conf==1, entity_type, true(), sha256(entity_type)) \
| eval vital_metrics_count=mvcount(vital_metrics) \
| rename entity_type as data.entityType, vital_metrics_count as data.vitalMetricsCount \
| makejson data.* output=event
enableSched=1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.vitalMetricsByEntityType
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 4 3 */7 * *
dispatch.earliest_time = -1d
[Telemetry: Calculation Window Usage]
enableSched = 1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.calculationWindowUsage
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 10 3 * * *
dispatch.earliest_time = -1d
search = | inputlookup calculation_window_telemetry_lookup \
| eval zipped = mvzip('kpis.title', 'kpis.search_alert_earliest' , "==@@==") \
| fields - kpis.title, kpis.search_alert_earliest \
| mvexpand zipped \
| eval x = split(zipped,"==@@==") \
| eval kpi_title = mvindex(x, 0) \
| eval calculation_window_value = mvindex(x, 1) \
| fields - x, zipped \
| where kpi_title!="ServiceHealthScore" \
| stats count by calculation_window_value \
| eval windowType = if(calculation_window_value == 1 or calculation_window_value == 5 or calculation_window_value == 15 or calculation_window_value == 1440, "predefinedWindow", "customWindow") \
| eval group = json_object("calculationWindowValue", calculation_window_value, "count", count) \
| stats list(group) as group, sum(count) as total by windowType \
| eval group = mv_to_json_array(group, true()) \
| stats list(group) as group, list(windowType) as windowType, list(total) as total \
| eval event = json_object("data", json_object(mvindex(windowType,0), json_object("calculationWindowValueCount", json_array(), "totalCount", mvindex(total, 0)), mvindex(windowType,1), json_object("calculationWindowValueCount", json_array(), "totalCount", mvindex(total, 1)))) \
| eval event = json_extend(event, "data.customWindow.calculationWindowValueCount", mvindex(group, 0)) \
| eval event = json_extend(event, "data.predefinedWindow.calculationWindowValueCount", mvindex(group, if(mvindex(windowType, 0) == "predefinedWindow", 0, 1 ))) \
| table event
[Telemetry: Sandbox Services]
search = index=_internal source="*itsi_command_itsi_import_objects.log" "Sandbox service bulk import report" \
| rex field=_raw "services: (?<bulk_import_tmp>\d*)" \
| table bulk_import_tmp \
| append \
[ search index=_internal source="*itsi_appserver.log" "Successfully added service" \
| eval ad-hoc_individual_service=if(isnull(base_service_template_id),1, 0) \
| eval template_individual_service=if(not isnull(base_service_template_id),1, 0) \
| table ad-hoc_individual_service, template_individual_service] \
| stats sum(bulk_import_tmp) as data.bulk_import_services, sum(ad-hoc_individual_service) as data.ad-hoc_individual_services, \
sum(template_individual_service) as data.template_individual_services \
| makejson data.* output=event
enableSched = 1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.sandboxServiceCreation
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 11 3 * * *
dispatch.earliest_time = -1d
[Telemetry: Entity Discovery Search Cleanup Command]
search = index=_internal sourcetype=itsi_internal_log "itsi_entity_discovery_search_cleaner" \
| rex "'tid': '(?<tid>.*)', '_raw'" \
| rex "Total entities processed so far: (?<cleaned_entities>.*)" \
| rex "'log_level': '(?<errors>.*)', '" \
| eval has_error=if(like(errors, "%ERROR%" ), 1, 0) \
| stats values(cleaned_entities) AS cleaned_entities sum(has_error) AS has_error values(host) AS host \
values(roles_for_current_user) AS roles_for_current_user by tid \
| append [search index=_internal sourcetype=itsi_internal_log "itsi_entity_discovery_search_cleaner" \
method=CleanEntityDiscoverySearches.generate AND NOT isnull(end_time) | eval start_time_int=tonumber(start_time) \
| eval end_time_int=tonumber(end_time) | table tid, start_time_int, end_time_int] \
| stats values(*) as * by tid \
| fillnull cleaned_entities value=0 \
| rename * as data.* \
| makejson data.* output=event
enableSched = 1
action.outputtelemetry = 1
action.outputtelemetry.param.anonymous = 1
action.outputtelemetry.param.support = 1
action.outputtelemetry.param.license = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component = app.ITSI.entityDiscoverySearchCleanupCommand
action.outputtelemetry.param.input = event
action.outputtelemetry.param.type = aggregate
cron_schedule = 0 2 * * *
dispatch.earliest_time = -1d
###############################################################
# ITSI Import Entity
###############################################################
[ITSI Import Objects - VMware Datastore]
action.itsi_import_objects = 1
action.itsi_import_objects.param.entity_identifier_fields = itsi_entity_id
action.itsi_import_objects.param.entity_informational_fields = pool_name,entity_type, moid,vcenter
action.itsi_import_objects.param.entity_merge_field = itsi_entity_id
action.itsi_import_objects.param.entity_title_field = name
action.itsi_import_objects.param.entity_type_field = etype
action.itsi_import_objects.param.update_type = upsert
cron_schedule = */10 * * * *
dispatch.earliest_time = -15m
dispatch.latest_time = now
enableSched = 1
search = | mcatalog values(name) as name, values(pool_name) as pool_name, values(entity_type) as entity_type \
where `itsi_entity_type_vmware_datastore_metrics_indexes` AND metric_name=vsphere.datastore* by moid, vcenter \
| eval etype="VMware Datastore" , itsi_entity_id=moid."_".vcenter
disabled = 0
###############################################################
# ITSI - workaround for entity type with multiple alias
###############################################################
[ITSI Import Objects - VMWare Cluster]
action.itsi_import_objects = 1
action.itsi_import_objects.param.entity_identifier_fields = itsi_entity_id
action.itsi_import_objects.param.entity_informational_fields = entity_type,pool_name,moid,vcenter
action.itsi_import_objects.param.entity_merge_field = itsi_entity_id
action.itsi_import_objects.param.entity_title_field = name
action.itsi_import_objects.param.entity_type_field = etype
action.itsi_import_objects.param.update_type = upsert
cron_schedule = */5 * * * *
dispatch.earliest_time = -1h
dispatch.latest_time = now
enableSched = 1
search = | mcatalog values(entity_type) as entity_type, values(name) as name, values(pool_name) as pool_name \
where `itsi_entity_type_vmware_cluster_metrics_indexes` AND metric_name=vsphere.cluster* by moid, vcenter \
| eval etype="VMware Cluster" , itsi_entity_id=moid."_".vcenter
disabled = 0
[ITSI Import Objects - VMware VM]
action.itsi_import_objects = 1
action.itsi_import_objects.param.entity_identifier_fields = itsi_entity_id,uuid
action.itsi_import_objects.param.entity_informational_fields = cluster,cluster_name,datastore,hypervisor,hypervisor_name,ip,os,pool_name,resourcepool,moid,vcenter
action.itsi_import_objects.param.entity_merge_field = uuid
action.itsi_import_objects.param.entity_title_field = name
action.itsi_import_objects.param.entity_type_field = etype
action.itsi_import_objects.param.update_type = upsert
action.itsi_import_objects.param.entity_merge_fqdn = 1
cron_schedule = */2 * * * *
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = 1
search = | mcatalog values("uuid") as "dimension.identifier.uuid" [ mcatalog values(_dims) as info \
where metric_name=vsphere.vm.* AND (`itsi_entity_type_vmware_vm_metrics_indexes`) earliest=-300s \
| append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time] \
| mvexpand info| search info != "instance" AND info != "unit" AND info != "vmware_metric_aggregation" AND \
info != "host" AND info != "uuid" \
| eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \
| fields search| mvcombine search| nomv search] where metric_name=vsphere.vm.* AND (`itsi_entity_type_vmware_vm_metrics_indexes`) \
earliest=-300s by "uuid"| fields dimension.* \
| eval identifier_dimensions="uuid" \
| foreach dimension.*[| eval is_identifier=if(match("<<MATCHSTR>>", "identifier"), 1, 0) \
| eval dimension_key=substr("<<MATCHSTR>>", len(if(is_identifier=1, "identifier.", "info.")) + 1), etype="VMware VM"] \
| rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=moid."_".vcenter
disabled = 0
[ITSI Import Objects - VMware vCenter]
action.itsi_import_objects = 1
action.itsi_import_objects.param.entity_identifier_fields = vcenter,itsi_entity_id
action.itsi_import_objects.param.entity_informational_fields = moid,pool_name,instance
action.itsi_import_objects.param.entity_merge_field = vcenter
action.itsi_import_objects.param.entity_title_field = vcenter
action.itsi_import_objects.param.entity_type_field = etype
action.itsi_import_objects.param.update_type = upsert
cron_schedule = */5 * * * *
dispatch.earliest_time = -1h
dispatch.latest_time = now
enableSched = 1
search = | mcatalog values("vcenter") as "dimension.identifier.vcenter" [ mcatalog values(_dims) as info \
where metric_name=vsphere.vc.* AND (`itsi_entity_type_vmware_vcenter_metrics_indexes`) earliest=-3600s \
| append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time] \
| mvexpand info| search info != "unit" AND info != "host" AND info != "vcenter" AND info != "vmware_metric_aggregation"\
| eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\""| fields search| \
mvcombine search| nomv search] where metric_name=vsphere.vc.* AND (`itsi_entity_type_vmware_vcenter_metrics_indexes`) earliest=-3600s by "vcenter" \
| fields dimension.* \
| eval identifier_dimensions="vcenter" \
| foreach dimension.*[| eval is_identifier=if(match("<<MATCHSTR>>", "identifier"), 1, 0) \
| eval dimension_key=substr("<<MATCHSTR>>", len(if(is_identifier=1, "identifier.", "info.")) + 1), etype="VMware vCenter"] \
| rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=moid."_".vcenter
disabled = 0
[ITSI Import Objects - VMware Host]
action.itsi_import_objects = 1
action.itsi_import_objects.param.entity_identifier_fields = name,itsi_entity_id,uuid
action.itsi_import_objects.param.entity_informational_fields = moid,cluster,cluster_name,datastore,os,os_version,pool_name,vcenter
action.itsi_import_objects.param.entity_merge_field = uuid
action.itsi_import_objects.param.entity_title_field = name
action.itsi_import_objects.param.entity_type_field = etype
action.itsi_import_objects.param.update_type = upsert
dispatch.earliest_time = -4m
dispatch.latest_time = now
enableSched = 1
cron_schedule = */2 * * * *
search = | mcatalog values("uuid") as "dimension.identifier.uuid" [ mcatalog values(_dims) as info \
where metric_name=vsphere.esxihost.* AND (`itsi_entity_type_vmware_esxihost_metrics_indexes`) earliest=-240s \
| append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time] \
| mvexpand info| search info != "instance" AND info != "unit" AND info != "vmware_metric_aggregation" AND \
info != "host" AND info != "uuid" \
| eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \
| fields search| mvcombine search \
| nomv search] where metric_name=vsphere.esxihost.* AND (`itsi_entity_type_vmware_esxihost_metrics_indexes`) earliest=-240s by "uuid" \
| fields dimension.* \
| eval identifier_dimensions="uuid" \
| foreach dimension.*[| eval is_identifier=if(match("<<MATCHSTR>>", "identifier"), 1, 0) \
| eval dimension_key=substr("<<MATCHSTR>>", len(if(is_identifier=1, "identifier.", "info.")) + 1), etype="VMware ESXi Host"] \
| rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=moid."_".vcenter
disabled = 0
[ITSI Import Objects - TA *Nix]
action.itsi_import_objects = 1
action.itsi_import_objects.param.entity_identifier_fields = host,itsi_entity_id
action.itsi_import_objects.param.entity_informational_fields = location,os,server,tag,ip,ipv6
action.itsi_import_objects.param.entity_merge_field = host
action.itsi_import_objects.param.entity_title_field = host
action.itsi_import_objects.param.entity_type_field = etype
action.itsi_import_objects.param.update_type = upsert
dispatch.earliest_time = -90s
dispatch.latest_time = now
enableSched = 1
cron_schedule = * * * * *
search = | mcatalog values("host") as "dimension.identifier.host" \
[ mcatalog values(_dims) as info where metric_name=*_metric.* AND (`itsi_entity_type_ta_nix_metrics_indexes`) earliest=-90s \
| append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time]| mvexpand info \
| search info != "punct" AND info != "val" AND info != "metric_type" AND info != "extracted_host" AND \
info != "COMMAND" AND info != "CPU" AND info != "Device" AND info != "Filesystem" AND info != "MountedOn" AND \
info != "Name" AND info != "PID" AND info != "Type" AND info != "USER" AND info != "ARGS" AND info != "Duplex" AND \
info != "MAC" AND info != "Speed" AND info != "inet6Addr" AND info != "inetAddr" AND info != "RXdropped" AND \
info != "TXdropped" AND info != "host"| \
eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\""| fields search| \
mvcombine search| nomv search] where metric_name=*_metric.* AND (`itsi_entity_type_ta_nix_metrics_indexes`) earliest=-90s by "host" \
| fields dimension.* \
| eval identifier_dimensions="host" \
| foreach dimension.*[| eval is_identifier=if(match("<<MATCHSTR>>", "identifier"), 1, 0) \
| eval dimension_key=substr("<<MATCHSTR>>", len(if(is_identifier=1, "identifier.", "info.")) + 1)] \
| rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=host, etype="Unix/Linux Add-on", ip=IP_address, ipv6=IPv6_address
disabled = 0
[ITSI Import Objects - Perfmon]
action.itsi_import_objects = 1
action.itsi_import_objects.param.entity_identifier_fields = host,itsi_entity_id
action.itsi_import_objects.param.entity_informational_fields = os,ip,ipv6,os_version
action.itsi_import_objects.param.entity_merge_field = host
action.itsi_import_objects.param.entity_title_field = host
action.itsi_import_objects.param.entity_type_field = etype
action.itsi_import_objects.param.update_type = upsert
dispatch.earliest_time = -90s
dispatch.latest_time = now
enableSched = 1
cron_schedule = * * * * *
search = | mcatalog values("host") as "dimension.identifier.host" \
[ mcatalog values(_dims) as info where metric_name=Processor.* OR metric_name=processor.* AND (`itsi_entity_type_windows_metrics_indexes`) \
earliest=-90s| append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time]| mvexpand info| \
search info != "punct" AND info != "val" AND info != "metric_type" AND info != "instance" AND \
info != "extracted_host" AND info != "cpu" AND info != "disk" AND info != "collection" AND info != "object" AND \
info != "host"| eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \
| fields search| mvcombine search| nomv search] where metric_name=Processor.* OR metric_name=processor.* AND \
(`itsi_entity_type_windows_metrics_indexes`) earliest=-90s by "host"| fields dimension.* \
| eval identifier_dimensions="host" \
| foreach dimension.*[| eval is_identifier=if(match("<<MATCHSTR>>", "identifier"), 1, 0) \
| eval dimension_key=substr("<<MATCHSTR>>", len(if(is_identifier=1, "identifier.", "info.")) + 1), etype="Windows"] \
| rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=host
disabled = 0
[ITSI Import Objects - OS]
action.itsi_import_objects = 1
action.itsi_import_objects.param.entity_identifier_fields = host,itsi_entity_id
action.itsi_import_objects.param.entity_informational_fields = ip,kernel_version,os,os_version,ipv6
action.itsi_import_objects.param.entity_merge_field = host
action.itsi_import_objects.param.entity_title_field = host
action.itsi_import_objects.param.entity_type_field = etype
action.itsi_import_objects.param.update_type = upsert
dispatch.earliest_time = -90s
dispatch.latest_time = now
enableSched = 1
cron_schedule = * * * * *
search = | mcatalog values("host") as "dimension.identifier.host" \
[ mcatalog values(_dims) as info where metric_name=cpu.* AND (`itsi_entity_type_nix_metrics_indexes`) earliest=-90s \
| append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time] \
| mvexpand info| search info != "punct" AND info != "val" AND info != "metric_type" AND \
info != "cpu" AND info != "extracted_host" AND info != "host" \
| eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\""| fields search \
| mvcombine search| nomv search] where metric_name=cpu.* AND (`itsi_entity_type_nix_metrics_indexes`) earliest=-90s by "host" \
| fields dimension.* \
| eval identifier_dimensions="host" \
| foreach dimension.*[| eval is_identifier=if(match("<<MATCHSTR>>", "identifier"), 1, 0) \
| eval dimension_key=substr("<<MATCHSTR>>", len(if(is_identifier=1, "identifier.", "info.")) + 1), etype="*nix"] \
| rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=host
disabled = 0
[ITSI Import Objects - AWS Cloudwatch EBS]
action.itsi_import_objects = 1
action.itsi_import_objects.param.entity_identifier_fields = VolumeId,itsi_entity_id
action.itsi_import_objects.param.entity_informational_fields = region
action.itsi_import_objects.param.entity_merge_field = VolumeId
action.itsi_import_objects.param.entity_title_field = VolumeId
action.itsi_import_objects.param.entity_type_field =
action.itsi_import_objects.param.update_type = upsert
dispatch.earliest_time = -20m
dispatch.latest_time = now
enableSched = 1
cron_schedule = */3 * * * *
search = | mcatalog values("VolumeId") as "dimension.identifier.VolumeId" \
[ mcatalog values(_dims) as info where metric_name=AWS/EBS* AND (`itsi_im_metrics_indexes`) earliest=-1200s \
| append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time]| mvexpand info \
| search info != "punct" AND info != "val" AND info != "metric_type" AND info != "unit" AND info != "host" AND \
info != "MetricName" AND info != "Period" AND info != "VolumeId" \
| eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \
| fields search| mvcombine search| nomv search] where metric_name=AWS/EBS* AND \
(`itsi_im_metrics_indexes`) earliest=-1200s by "VolumeId"| fields dimension.* \
| eval identifier_dimensions="VolumeId" \
| foreach dimension.*[| eval is_identifier=if(match("<<MATCHSTR>>", "identifier"), 1, 0) \
| eval dimension_key=substr("<<MATCHSTR>>", len(if(is_identifier=1, "identifier.", "info.")) + 1)] \
| rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=VolumeId
disabled = 0
[ITSI Import Objects - AWS Cloudwatch EC2]
action.itsi_import_objects = 1
action.itsi_import_objects.param.entity_identifier_fields = InstanceId,itsi_entity_id
action.itsi_import_objects.param.entity_informational_fields = entity_class,region
action.itsi_import_objects.param.entity_merge_field = InstanceId
action.itsi_import_objects.param.entity_title_field = InstanceId
action.itsi_import_objects.param.entity_type_field =
action.itsi_import_objects.param.update_type = upsert
dispatch.earliest_time = -20m
dispatch.latest_time = now
enableSched = 1
cron_schedule = */3 * * * *
search = | mcatalog values("InstanceId") as "dimension.identifier.InstanceId" \
[ mcatalog values(_dims) as info where metric_name=AWS/EC2* AND (`itsi_im_metrics_indexes`) earliest=-1200s \
| append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time]| mvexpand info \
| search info != "punct" AND info != "val" AND info != "metric_type" AND info != "unit" AND info != "host" AND \
info != "MetricName" AND info != "Period" AND info != "InstanceId"| \
eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \
| fields search| mvcombine search \
| nomv search] where metric_name=AWS/EC2* AND (`itsi_im_metrics_indexes`) earliest=-1200s by "InstanceId" \
| fields dimension.* \
| eval identifier_dimensions="InstanceId" \
| foreach dimension.*[| eval is_identifier=if(match("<<MATCHSTR>>", "identifier"), 1, 0) \
| eval dimension_key=substr("<<MATCHSTR>>", len(if(is_identifier=1, "identifier.", "info.")) + 1)] \
| rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=InstanceId
disabled = 0
[ITSI Import Objects - AWS Cloudwatch ELB]
action.itsi_import_objects = 1
action.itsi_import_objects.param.entity_identifier_fields = LoadBalancerName,itsi_entity_id
action.itsi_import_objects.param.entity_informational_fields = AvailabilityZone,region
action.itsi_import_objects.param.entity_merge_field = LoadBalancerName
action.itsi_import_objects.param.entity_title_field = LoadBalancerName
action.itsi_import_objects.param.entity_type_field =
action.itsi_import_objects.param.update_type = upsert
dispatch.earliest_time = -20m
dispatch.latest_time = now
enableSched = 1
cron_schedule = */3 * * * *
search = | mcatalog values("LoadBalancerName") as "dimension.identifier.LoadBalancerName" \
[ mcatalog values(_dims) as info where metric_name=AWS/ELB* AND (`itsi_im_metrics_indexes`) earliest=-1200s \
| append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time]| mvexpand info \
| search info != "punct" AND info != "val" AND info != "metric_type" AND info != "unit" AND info != "host" AND \
info != "MetricName" AND info != "Period" AND info != "LoadBalancerName" \
| eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \
| fields search| mvcombine search| nomv search] where metric_name=AWS/ELB* AND (`itsi_im_metrics_indexes`) \
earliest=-1200s by "LoadBalancerName"| fields dimension.* \
| eval identifier_dimensions="LoadBalancerName" \
| foreach dimension.*[| eval is_identifier=if(match("<<MATCHSTR>>", "identifier"), 1, 0) \
| eval dimension_key=substr("<<MATCHSTR>>", len(if(is_identifier=1, "identifier.", "info.")) + 1)] \
| rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=LoadBalancerName
disabled = 0
[ITSI Import Objects - Kubernetes Node]
action.itsi_import_objects = 1
action.itsi_import_objects.param.entity_identifier_fields = node,itsi_entity_id
action.itsi_import_objects.param.entity_informational_fields = cluster_name
action.itsi_import_objects.param.entity_merge_field = node
action.itsi_import_objects.param.entity_title_field = node
action.itsi_import_objects.param.entity_type_field = etype
action.itsi_import_objects.param.update_type = upsert
dispatch.earliest_time = -10m
dispatch.latest_time = now
enableSched = 1
cron_schedule = */3 * * * *
search = | mcatalog values("node") as "dimension.identifier.node" \
[ mcatalog values(_dims) as info where metric_name=kube.node.* AND (`itsi_entity_type_k8s_node_metrics_indexes`) earliest=-600s \
| append [ | makeresults | head 1 | eval info="no-data-placeholder"| fields - _time] \
| mvexpand info| search info != "punct" AND info != "val" AND info != "metric_type" AND info != "unit" AND \
info != "host" AND info != "extracted_source" AND info != "device" AND info != "interface" AND info != "type" AND \
info != "node"| eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \
| fields search| mvcombine search| nomv search] where metric_name=kube.node.* AND (`itsi_entity_type_k8s_node_metrics_indexes`) \
earliest=-600s by "node"| fields dimension.* \
| eval identifier_dimensions="node" \
| foreach dimension.*[| eval is_identifier=if(match("<<MATCHSTR>>", "identifier"), 1, 0) \
| eval dimension_key=substr("<<MATCHSTR>>", len(if(is_identifier=1, "identifier.", "info.")) + 1), etype="Kubernetes Node"] \
| rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id=node
disabled = 0
[ITSI Import Objects - Kubernetes Pod]
action.itsi_import_objects = 1
action.itsi_import_objects.param.entity_identifier_fields = pod-namespace,pod-name,itsi_entity_id,pod-uid
action.itsi_import_objects.param.entity_informational_fields = node,cluster_name
action.itsi_import_objects.param.entity_merge_field = pod-name
action.itsi_import_objects.param.entity_title_field = pod-name
action.itsi_import_objects.param.entity_type_field = etype
action.itsi_import_objects.param.update_type = upsert
dispatch.earliest_time = -10m
dispatch.latest_time = now
enableSched = 1
cron_schedule = */3 * * * *
search = | mcatalog values("pod-name") as "dimension.identifier.pod-name" values("pod-namespace") as \
"dimension.identifier.pod-namespace" [ mcatalog values(_dims) as info where metric_name=kube.pod.* AND \
(`itsi_entity_type_k8s_pod_metrics_indexes`) earliest=-600s| append [ | makeresults | head 1 | eval info="no-data-placeholder" \
| fields - _time]| mvexpand info| search info != "punct" AND info != "val" AND info != "metric_type" AND \
info != "unit" AND info != "host" AND info != "extracted_source" AND info != "pod-name" AND \
info != "pod-namespace"| eval search="values(" . "\"" . info . "\"" . ") as " . "\"" . "dimension.info." . info . "\"" \
| fields search| mvcombine search| nomv search] where metric_name=kube.pod.* AND (`itsi_entity_type_k8s_pod_metrics_indexes`) \
earliest=-600s by "pod-name","pod-namespace"| fields dimension.* \
| eval identifier_dimensions="pod-name,pod-namespace" \
| makemv delim="," identifier_dimensions \
| foreach dimension.*[| eval is_identifier=if(match("<<MATCHSTR>>", "identifier"), 1, 0) \
| eval dimension_key=substr("<<MATCHSTR>>", len(if(is_identifier=1, "identifier.", "info.")) + 1)] \
| rename dimension.identifier.* AS *, dimension.info.* AS * | eval itsi_entity_id='pod-namespace'."_".'pod-name', etype="Kubernetes Pod"
disabled = 0
[Entity Lifecycle Management - Unmark Retirable Search]
dispatch.earliest_time = -1d
dispatch.latest_time = now
enableSched = 1
cron_schedule = 6 0 * * *
# A result is required to hit the custom search command
search = | setretiredentities clear_retirable=true
disabled = 1
[Cleanup Models For Predictive Analytics]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 1 * * *
description = Clean up models that is 24 hours old and not saved in any service models.
display.general.timeRangePicker.show = 0
dispatch.earliest_time = -24h
dispatch.latest_time = now
enableSched = 1
search = | listmodels\
| rename name AS model_name\
| rex field=model_name "itsi_predict_.*_*[a-zA-Z]*_[a-z0-9]*_(?<ts>[0-9]+)[a-z_]*$"\
| search NOT\
[| getservice\
| where isnotnull(algorithms)\
| rex field=algorithms "'modelId': '(?<model_name>itsi_predict_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-zA-Z]*_[a-f0-9]*_[0-9]*)'" max_match=5\
| fields model_name\
| mvexpand model_name\
| eval a=model_name."_avg", b=model_name."_ss", c=model_name."_worst"\
| eval model_name=a.",".b.",".c\
| fields model_name\
| makemv delim="," model_name\
| mvexpand model_name]\
| appendpipe\
[| search model_name="*kpi*"\
| rex field=model_name "itsi_predict_kpi_[hs]s_(?<sid>[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*)"\
| search\
[| getservice\
| where isnotnull(algorithms)\
| rex field=algorithms "'modelId': 'itsi_predict_(?<sid>[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*_[a-f0-9]*)_[a-zA-Z]*_[a-f0-9]*_[0-9]*'"\
| search sid=*\
| fields sid]\
| fields model_name]\
| sort - model_name\
| eventstats count(model_name) as ct by model_name\
| where ct < 2\
| where ts/1000 < relative_time(now(), "-1d@d")\
| map search="| deletemodel $model_name$" maxsearches=100
[entity_discovery_search_cleaner]
description = Cleans up disabled/deleted discovery searches from entities and caches
dispatch.earliest_time = -1d
dispatch.latest_time = now
enableSched = 1
cron_schedule = 13 0 * * *
search = | cleanupentitydiscoverysearches
disabled = 1
Reference in new issue View Git Blame Copy Permalink