{
    "uc_ref": "splk_dma",
    "uc_vendor": "Splunk",
    "uc_description": "Monitors the Splunk Data Model Acceleration (DMA), triggers if the acceleration of a Data Model is not completed",
    "uc_category": "splunk_infrastructure",
    "uc_earliest": "-5m",
    "uc_latest": "now",
    "uc_cron": "*/5 * * * *",
    "uc_replacements": "tenant_id:mytenant,group:mygroup",
    "uc_metrics": "dma.complete_pct,dma.size_mb,dma.runduration_sec,dma.buckets_count",
    "uc_search": "| rest /services/admin/summarization by_tstats=t splunk_server=local count=0\n| eval key=replace('title',\"tstats:DM_\".'eai:acl.app'.\"_\",\"\"),datamodel=replace('summary.id',\"DM_\".'eai:acl.app'.\"_\",\"\")\n| join type=left key\n\n[| rest /services/data/models splunk_server=local count=0\n| table title acceleration acceleration.cron_schedule eai:digest\n| rename title as key\n| rename acceleration.cron_schedule AS cron, acceleration as enabled ]\n\n| table datamodel eai:acl.app summary.access_time summary.is_inprogress summary.size summary.latest_time summary.complete summary.buckets_size summary.buckets cron summary.last_error summary.time_range summary.id summary.mod_time eai:digest summary.earliest_time summary.last_sid summary.access_count, enabled\n| rename summary.id AS summary_id, summary.time_range AS retention, summary.earliest_time as earliest, summary.latest_time as latest, eai:digest as digest\n| rename summary.* AS *, eai:acl.* AS *\n| sort datamodel\n| rename \"Datamodel_Acceleration.*\" as *\n| join type=outer last_sid\n\n[| rest splunk_server=local count=0 /services/search/jobs reportSearch=summarize*\n| rename sid as last_sid\n| fields last_sid,runDuration]\n\n| eval size_mb=round(size/1048576, 2), retention_days=if(retention==0,\"unlimited\",round(retention/86400,1)), complete_pct=round(complete*100, 2)\n| eval group = \"datamodels\", object = app . \":\" . datamodel, alias = object\n| eval object_description = \"Datamodel: \" . datamodel . \", app: \" . app . \", retention days: \" . retention_days\n\n| foreach complete_pct, size_mb, runDuration, buckets [ eval <<FIELD>> = if(isnum('<<FIELD>>'), '<<FIELD>>', 0) ]\n\n| eval metrics = \"{'dma.complete_pct': \" . complete_pct . \", 'dma.size_mb': \" . size_mb . \", 'dma.runduration_sec': \" . round(runDuration, 2) . \", 'dma.buckets_count': \" . buckets . \"}\"\n| eval outliers_metrics = \"{'dma.runduration_sec': {'alert_lower_breached': 0, 'alert_upper_breached': 1, 'time_factor': 'none'}}\"\n| eval status=case( enabled!=1, 2, enabled=1 AND complete_pct<99, 2, complete_pct>=99, 1,isnull(complete_pct) OR complete_pct=\"\", 3, 1=1, 3)\n| eval status_description_short=if(isnum(complete_pct), \"% accelerated: \" . complete_pct . \", size_mb: \" .  size_mb, \"% accelerated: Unknown!\")\n| eval status_description=case( enabled!=1, \"acceleration is not enabled\", enabled=1 AND complete_pct<99, \"acceleration is not completed\", complete_pct>=99, \"acceleration is completed\",isnull(complete_pct) OR complete_pct=\"\", \"acceleration status is unknown\")\n| table group, object, alias, object_description, metrics, outliers_metrics, status, status_description, status_description_short\n\n``` set default metric ```\n| eval default_metric=\"dma.complete_pct\"\n\n``` alert if inactive for more than 3600 sec```\n| eval max_sec_inactive=3600"
}