{
    "uc_ref": "splk_lastchanceindex",
    "uc_vendor": "Splunk",
    "uc_description": "Monitors the last chance index, triggers when data is detected in the last chance index",
    "uc_category": "splunk_data_collection",
    "uc_earliest": "-60m",
    "uc_latest": "now",
    "uc_cron": "*/5 * * * *",
    "uc_metrics": "lastchanceindex.events_count,lastchanceindex.sourcetypes_count",
    "uc_search": "| tstats count as events_count, max(_time) as _time, dc(source) as sources_count where index=lastchanceindex by index, sourcetype\n| eval time = strftime(_time, \"%c\")\n\n| eval object=\"sourcetype:\" . sourcetype . \"|\" . \"last_event:\" . time . \"|\" . \"sources_count:\" . sources_count . \"|\" . \"events_count:\" . events_count\n\n| stats max(events_count) as events_count, dc(sourcetype) as detected_count, max(_time) as events_time, first(sources_count) as sources_count, values(object) as objects\n| eventstats sum(events_count) as total_count\n\n``` set group, object and object description ```\n| eval group = \"data_collection\"\n| eval object = \"lastchanceindex\"\n| eval object_description = \"Splunk last chance index\"\n\n``` set the status ```\n| eval status=case(\ndetected_count=0, 1,\ndetected_count>=1, 2,\n1=1, 3\n)\n\n``` set the status_description ```\n| eval status_description = case(\nstatus=1, \"no events were detected in the lastchanceindex, last_run: \" . strftime(now(), \"%c\"),\nstatus=2, \"events detected in the lastchanceindex, total_count: \" . total_count . \", sourcetype(s) count: \" . detected_count . \", sources_count: \" . sources_count . \", latest event time: \" . strftime(events_time, \"%c\"),\n1=1, \"lastchanceindex events detection status is unknown\"\n)\n\n``` keep the details objects in the extra_attributes ```\n| rex field=objects mode=sed \"s/\\\"/\\\\\\\"/g\"\n| eval extra_attributes  = \"{\\\"objects\\\": [\\\"\" . mvjoin(objects, \"\\\", \\\"\") . \"\\\"]}\"\n\n``` set metrics ```\n| eval metrics = \"{'lastchanceindex.events_count': \" . total_count . \", 'lastchanceindex.sourcetypes_count': \" .  detected_count . \"}\"\n\n``` set default metric ```\n| eval default_metric=\"lastchanceindex.events_count\"\n\n``` alert if inactive for more than 2 hours```\n| eval max_sec_inactive=7200"
}