# transforms.conf

# TrackMe indexed fields

# The following key fields are indexed fields for optimisation purposes:
# - tenant_id: which describes the tenant invovled in the data generated
# - object_category: which describes the component
# - object: which describes the entity

[trackme_indexed_tenant_id]
REGEX = \"tenant_id\"[:|=]\s{0,1}\"([^\"]+)\"
FORMAT = tenant_id::$1
WRITE_META = true

[trackme_indexed_json_tenant_id]
REGEX = \"tenant_id\":\s\"([^\"]+)\"
FORMAT = tenant_id::$1
WRITE_META = true

[trackme_indexed_kv_tenant_id]
REGEX = tenant_id=\"([^\"]+)\"
FORMAT = tenant_id::$1
WRITE_META = true

[trackme_indexed_object_category]
REGEX = \"object_category\"[:|=]\s{0,1}\"([^\"]+)\"
FORMAT = object_category::$1
WRITE_META = true

[trackme_indexed_json_object_category]
REGEX = \"object_category\":\s\"([^\"]+)\"
FORMAT = object_category::$1
WRITE_META = true

[trackme_indexed_object]
REGEX = \"object\"[:|=]\s{0,1}\"([^\"]+)\"
FORMAT = object::$1
WRITE_META = true

[trackme_indexed_kv_object]
REGEX = object=\"([^\"]+)\"
FORMAT = object::$1
WRITE_META = true

[trackme_indexed_json_object]
REGEX = \"object\":\s\"([^\"]+)\"
FORMAT = object::$1
WRITE_META = true

# This index field is specific to sourcetype=trackme:state to allow high performances tstats searches for SLA purposes
[trackme_indexed_monitored_state]
REGEX = \"monitored_state\":\s\"([^\"]+)\"
FORMAT = monitored_state::$1
WRITE_META = true

[trackme_indexed_json_monitored_state]
REGEX = \"monitored_state\":\s\"([^\"]+)\"
FORMAT = monitored_state::$1
WRITE_META = true

########################################
# Virtual tenancy and user preferences #
########################################

#
# TrackMe virtual tenants
#

[trackme_virtual_tenants]
external_type = kvstore
collection = kv_trackme_virtual_tenants
fields_list = _key, tenant_name, tenant_id, tenant_status, tenant_desc, tenant_owner, tenant_roles_admin, tenant_roles_user, tenant_roles_power, tenant_objects_exec_summary, tenant_dsm_enabled, tenant_dhm_enabled, tenant_mhm_enabled, tenant_cim_enabled, tenant_flx_enabled, tenant_wlk_enabled, tenant_fqm_enabled, tenant_dsm_hybrid_objects, tenant_dhm_hybrid_objects, tenant_mhm_hybrid_objects, tenant_flx_hybrid_objects, tenant_fqm_hybrid_objects, tenant_wlk_hybrid_objects, tenant_cim_objects, tenant_flx_objects, tenant_fqm_objects, tenant_wlk_objects, tenant_alert_objects, tenant_idx_settings, schema_version, schema_version_mtime, tenant_replica_objects, tenant_replica

# entities summary
# This collection stores a quick access view regarding the number of entities and a status summary

[trackme_virtual_tenants_entities_summary]
external_type = kvstore
collection = kv_trackme_virtual_tenants_entities_summary
fields_list = _key, tenant_id, cim_entities, cim_low_red_priority, cim_medium_red_priority, cim_high_red_priority, cim_critical_red_priority, cim_summary_stats, cim_extended_stats, dsm_entities, dsm_low_red_priority, dsm_medium_red_priority, dsm_high_red_priority, dsm_critical_red_priority, dsm_summary_stats, dsm_extended_stats, dhm_entities, dhm_low_red_priority, dhm_medium_red_priority, dhm_high_red_priority, dhm_critical_red_priority, dhm_summary_stats, dhm_extended_stats, mhm_entities, mhm_low_red_priority, mhm_medium_red_priority, mhm_high_red_priority, mhm_critical_red_priority, mhm_summary_stats, mhm_extended_stats, flx_entities, flx_low_red_priority, flx_medium_red_priority, flx_high_red_priority, flx_critical_red_priority, flx_summary_stats, flx_extended_stats, fqm_entities, fqm_low_red_priority, fqm_medium_red_priority, fqm_high_red_priority, fqm_critical_red_priority, fqm_summary_stats, fqm_extended_stats, wlk_entities, wlk_low_red_priority, wlk_medium_red_priority, wlk_high_red_priority, wlk_critical_red_priority, wlk_summary_stats, wlk_extended_stats, dsm_last_exec, dhm_last_exec, mhm_last_exec, cim_last_exec, flx_last_exec, fqm_last_exec, wlk_last_exec

#
# Alerting maintenance mode
#

[trackme_maintenance_mode]
external_type = kvstore
collection = kv_trackme_maintenance_mode
fields_list = _key, tenants_scope, maintenance, maintenance_mode, maintenance_message, maintenance_comment, maintenance_mode_start, maintenance_mode_end, maintenance_countdown, change_comment, src_user, time_started, time_updated, epoch_started, epoch_updated, knowledge_record_id

#
# maintenance knowledge database: can be used to store maintenance knowledge and influence SLA calculations
#

[trackme_maintenance_kdb]
external_type = kvstore
collection = kv_trackme_maintenance_kdb
fields_list = _key, tenants_scope, is_disabled, no_days_validity, reason, type, add_info, src_user, time_start, time_end, time_expiration, ctime, mtime

#
# Bank holidays: used to store bank holiday periods that prevent alerts from triggering
#
[trackme_bank_holidays]
external_type = kvstore
collection = kv_trackme_bank_holidays
fields_list = _key, period_name, start_date, end_date, comment, country_code, is_recurring, src_user, time_created, time_updated, maintenance_kdb_key

#
# Backup collection, used to store server / backup files Metadata
#
[trackme_backup_archives_info]
external_type = kvstore
collection = kv_trackme_backup_archives_info
fields_list = _key, server_name, backup_archive, size, status, archive_details, kvstore_collections_size, change_type, mtime, htime, comment

#
# License key: this KVstore is used to store the license key
#

[trackme_license_key]
external_type = kvstore
collection = kv_trackme_license_key
fields_list = _key, license_string, license_type

#
# Remote Account token expiration Metadata store: this KVstore is used to store expiration related metadata for remote accounts
#

[trackme_remote_account_token_expiration]
external_type = kvstore
collection = kv_trackme_remote_account_token_expiration
fields_list = _key, account, mtime, last_message, remote_bearer_token_id

######
# CIM
######

# used to pre-define the regex for CIM compliance
[trackme_cim_regex]
filename = trackme_cim_regex.csv
match_type = WILDCARD(field)
max_matches = 1

# used to pre-define the regex for CIM compliance
[trackme_cim_regex_v2]
filename = trackme_cim_regex_v2.csv
match_type = WILDCARD(datamodel) WILDCARD(field)
max_matches = 1

# used to pre-define the recommended fields for CIM compliance
[trackme_cim_recommended_fields]
filename = trackme_cim_recommended_fields.csv
default_match = false
case_sensitive_match = 1
max_matches = 1
min_matches = 1

#
# events
#

[trackme_events_ingest_evals]
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics"), sourcetype=target_sourcetype, source=target_source, _raw=event, event:=null(), target_index:=null(), target_sourcetype:=null(), target_source:=null()

#
# audit events
#

[trackme_audit_events_ingest_evals]
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_audit"), sourcetype="trackme:audit", source="trackme:audit", _raw=event, event:=null(), target_index:=null()

#
# events to metrics
#

#
# scoring metrics
#

[trackme_scoring_metrics_index_redirect]
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")

[trackme_scoring_metrics_metric_name]
INGEST_EVAL = metric_name="trackme.scoring"

[trackme_scoring_metrics_field_extraction]
FORMAT = $1::"$2"
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
REPEAT_MATCH = true
WRITE_META = true

[trackme_scoring_metrics_field_extraction_json]
FORMAT = $1::$2
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d\.]*)
REPEAT_MATCH = true
WRITE_META = true

[metric-schema:trackme_scoring_metrics_extract_schema]
METRIC-SCHEMA-MEASURES-trackme.scoring=_ALLNUMS_
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.scoring=target_index,metrics_event

#
# sla metrics
#

[trackme_sla_metrics_index_redirect]
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")

[trackme_sla_metrics_metric_name]
INGEST_EVAL = metric_name="trackme.sla"

[trackme_sla_metrics_field_extraction]
FORMAT = $1::"$2"
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
REPEAT_MATCH = true
WRITE_META = true

[trackme_sla_metrics_field_extraction_json]
FORMAT = $1::$2
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
REPEAT_MATCH = true
WRITE_META = true

[metric-schema:trackme_sla_metrics_extract_schema]
METRIC-SCHEMA-MEASURES-trackme.sla=_ALLNUMS_
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.sla=target_index,metrics_event

#
# components_register metrics
#

[trackme_components_register_metrics_index_redirect]
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")

[trackme_components_register_metrics_metric_name]
INGEST_EVAL = metric_name="trackme.components_register"

[trackme_components_register_metrics_field_extraction]
FORMAT = $1::"$2"
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
REPEAT_MATCH = true
WRITE_META = true

[trackme_components_register_metrics_field_extraction_json]
FORMAT = $1::$2
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
REPEAT_MATCH = true
WRITE_META = true

[metric-schema:trackme_components_register_metrics_extract_schema]
METRIC-SCHEMA-MEASURES-trackme.components_register=_ALLNUMS_
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.components_register=target_index,metrics_event

#
# splk-dsm metrics
#

[trackme_splk_dsm_metrics_index_redirect]
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")

[trackme_splk_dsm_metrics_metric_name]
INGEST_EVAL = metric_name="trackme.splk_dsm"

[trackme_splk_dsm_metrics_field_extraction]
FORMAT = $1::"$2"
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
REPEAT_MATCH = true
WRITE_META = true

[trackme_splk_dsm_metrics_field_extraction_json]
FORMAT = $1::$2
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
REPEAT_MATCH = true
WRITE_META = true

[metric-schema:trackme_splk_dsm_metrics_extract_schema]
METRIC-SCHEMA-MEASURES-trackme.splk_dsm=_ALLNUMS_
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.splk_dsm=target_index,metrics_event

#
# splk-dhm metrics
#

[trackme_splk_dhm_metrics_index_redirect]
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")

[trackme_splk_dhm_metrics_metric_name]
INGEST_EVAL = metric_name="trackme.splk_dhm"

[trackme_splk_dhm_metrics_field_extraction]
FORMAT = $1::"$2"
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
REPEAT_MATCH = true
WRITE_META = true

[trackme_splk_dhm_metrics_field_extraction_json]
FORMAT = $1::$2
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
REPEAT_MATCH = true
WRITE_META = true

[metric-schema:trackme_splk_dhm_metrics_extract_schema]
METRIC-SCHEMA-MEASURES-trackme.splk_dhm=_ALLNUMS_
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.splk_dhm=target_index,metrics_event

#
# splk-mhm metrics
#

[trackme_splk_mhm_metrics_index_redirect]
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")

[trackme_splk_mhm_metrics_metric_name]
INGEST_EVAL = metric_name="trackme.splk_mhm"

[trackme_splk_mhm_metrics_field_extraction]
FORMAT = $1::"$2"
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
REPEAT_MATCH = true
WRITE_META = true

[trackme_splk_mhm_metrics_field_extraction_json]
FORMAT = $1::$2
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
REPEAT_MATCH = true
WRITE_META = true

[metric-schema:trackme_splk_mhm_metrics_extract_schema]
METRIC-SCHEMA-MEASURES-trackme.splk_mhm=_ALLNUMS_
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.splk_mhm=target_index,metrics_event

#
# splk-flx
#

[trackme_flx_metrics_index_redirect]
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")

[trackme_flx_metrics_metric_name]
INGEST_EVAL = metric_name="trackme.splk.flx"

[trackme_flx_metrics_field_extraction]
FORMAT = $1::"$2"
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
REPEAT_MATCH = true
WRITE_META = true

[trackme_flx_metrics_field_extraction_json]
FORMAT = $1::$2
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
REPEAT_MATCH = true
WRITE_META = true

[metric-schema:trackme_flx_metrics_extract_schema]
METRIC-SCHEMA-MEASURES-trackme.splk.flx=_ALLNUMS_
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.splk.flx=target_index,metrics_event

#
# splk-fqm
#

[trackme_fqm_metrics_index_redirect]
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")

[trackme_fqm_metrics_metric_name]
INGEST_EVAL = metric_name="trackme.splk.fqm"

[trackme_fqm_metrics_field_extraction]
FORMAT = $1::"$2"
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
REPEAT_MATCH = true
WRITE_META = true

[trackme_fqm_metrics_field_extraction_json]
FORMAT = $1::$2
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
REPEAT_MATCH = true
WRITE_META = true

[metric-schema:trackme_fqm_metrics_extract_schema]
METRIC-SCHEMA-MEASURES-trackme.splk.fqm=_ALLNUMS_
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.splk.fqm=target_index,metrics_event

#
# splk-wlk
# 

[trackme_wlk_metrics_index_redirect]
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")

[trackme_wlk_metrics_metric_name]
INGEST_EVAL = metric_name="trackme.splk.wlk"

[trackme_wlk_metrics_field_extraction]
FORMAT = $1::"$2"
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
REPEAT_MATCH = true
WRITE_META = true

[trackme_wlk_metrics_field_extraction_json]
FORMAT = $1::$2
REGEX = \\\\\\\"([a-zA-Z0-9_\.]+)\\\\\\\":(\-{0,1}[\d|\.]*)
REPEAT_MATCH = true
WRITE_META = true

[metric-schema:trackme_wlk_metrics_extract_schema]
METRIC-SCHEMA-MEASURES-trackme.splk.wlk=_ALLNUMS_
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.splk.wlk=target_index,metrics_event