SH-Deployer/apps/itsi/default/alert_actions.conf

[indicator]
_name             = itsi_summary
# run the summary index command during the original search
inline            = 1
ttl               = 120
maxresults        = 50000
_itsi_kpi_id       =
_itsi_service_id   =

# make sure the following keys are not added to marker (command, ttl, maxresults, _*)
# make sure that underscore _raw does not present in the result
# Check if itsi_kpi_id and itsi_service_id in events
command           =  eval qf=if(alert_level==-2,"maintenancerandostring","") \
  |  eval itsi_service_id=if(isnull(itsi_service_id) AND isnotnull("$action.indicator._itsi_service_id$") AND \
  trim("$action.indicator._itsi_service_id$")!="","$action.indicator._itsi_service_id$",itsi_service_id) \
  | eval itsi_kpi_id=if(isnull(itsi_kpi_id) AND isnotnull("$action.indicator._itsi_kpi_id$") AND \
  trim("$action.indicator._itsi_kpi_id$")!="","$action.indicator._itsi_kpi_id$",itsi_kpi_id) \
  | summaryindex spool=t uselb=t addtime=t index="$action.indicator._name{required=yes}$" \
  file="$name_hash$_$#random$.stash_new" name="$name$" marker="$action.indicator*{format=$KEY=\\\"$VAL\\\", \
  key_regex="action.indicator.(?!(?:command|inline|forceCsvResults|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"\
  | `metrics_kpi_fields_transforms` | `mcollect_into_summary_index`