# searchbnf.conf

[trackme-command]
syntax = | trackme url=<API endpoint> mode=<HTTP method: get/post/delete> params=<Optional: provides HTTP params in a json format, for get only> body=<Optional: provides the HTTP body in a json format>
description = \
    This command is a REST API wrapper for TrackMe API endpoints, it allows performing \
    get / post / delete HTTP calls against an endpoint and returns a JSON format answer. \
    Syntax: \
    | trackme url=<API endpoint> mode=<HTTP method: get/post/delete> params=<Optional: provides HTTP params in a json format, for get only> body=<Optional: provides the HTTP body in a json format>
comment1 = \
    This example calls the smart_status endpoint to provide an advanced status with automated \
    correlations and investigations.
example1 = \
    | trackme url=/services/trackme/v2/splk_smart_status/ds_smart_status mode=get body="{'object': 'firewall:pan:traffic'}"
shortdesc = REST API wrapper for TrackMe, allows performing \
    get / post / delete HTTP calls against an endpoint.
usage = public
tags = trackme

[trackmegetconf-command]
syntax = | trackmegetconf target=<Optional, the configuration stanza target, use * for all stanzas>
description = \
    This command is a simple generating command to retrieve the application level configuration stanzas, parameters and values
    Syntax: \
    | trackmegetconf target=<Optional, the configuration stanza target, use * for all stanzas>
comment1 = \
    This example retrieves all parameters and values for the trackme_general configuration items
example1 = \
    | trackmegetconf target=trackme_general
shortdesc = Retrieve TrackMe application level configuration parameters and values
usage = public
tags = trackme

# Performs remote search to any Splunk instance over REST, using a bearer token and an account configured
[splunkremotesearch-command]
syntax = | splunkremotesearch account=<API endpoint> search=<Splunk SPL search> earliest=<earliest quantifier> latest=<latest quantifier> component=<the component> register_component=<enable registering exceptions in the component> tenant_id=<tenant identifier> report=<tracker report name> run_against_each_member=<boolean, run the search against each member of the account> report_runtime=<boolean, report the runtime of the search> sample_ratio=<sample ratio, if provided, the search will be sampled>
description = \
    This command is a REST remote search for Splunk, it allows performing \
    any search to a remote Splunk deployment and returns a JSON format answer. \
    Syntax: \
    | splunkremotesearch account=<API endpoint> search=<Splunk SPL search> earliest=<earliest quantifier> latest=<latest quantifier> component=<the component> register_component=<enable registering exceptions in the component> tenant_id=<tenant identifier> report=<tracker report name> run_against_each_member=<boolean, run the search against each member of the account> report_runtime=<boolean, report the runtime of the search> sample_ratio=<sample ratio, if provided, the search will be sampled>
comment1 = \
    This example performs a simple magic search to a remote Splunk deployment
example1 = \
    | splunkremotesearch account=acme_splunk search="| tstats max(_indextime) as data_last_ingest, min(_time) as data_first_time_seen, max(_time) as data_last_time_seen, count as data_eventcount, dc(host) as dcount_host where index=\"firewall\" | eval object=\"test\", data_index=\"test\", data_sourcetype=\"pan:traffic\", data_last_ingestion_lag_seen=data_last_ingest-data_last_time_seen" earliest="-4h" latest="+4h"
shortdesc = REST remote search for Splunk, it allows performing \
    any search to a remote Splunk deployment and returns a JSON format answer.
usage = public
tags = trackme

# The Data Sampling mass executor
[trackmesamplingexecutor-command]
syntax = | trackmesamplingexecutor tenant_id=<tenant identifier> mode=<run mode (optional), valid options: run_sampling|test_sampling|test_model|get_samples|show_kvrecord> object=<object value, used if mode is get_samples> earliest=<earliest quantifier> latest=<latest quantifier> get_samples_max_count=<max number of events to be sampled in get samples mode> max_runtime=<max runtime in seconds> regex_expression=<if mode is test_model, the regex expression to test> model_type=<if mode is test_model, the model type to test, valid options are: inclusive|exclusive> model_name=<if mode is test_model, the model name to test> sourcetype_scope=<if mode is test_model, the sourcetype scope to test>
description = \
    This command is the TrackMe data sampling mass job executor \
    Syntax: \
    | trackmesamplingexecutor tenant_id=<tenant identifier> mode=<run mode (optional), valid options: run_sampling|test_sampling|test_model|get_samples|get_live_samples|show_kvrecord> object=<object value, used if mode is get_samples> earliest=<earliest quantifier> latest=<latest quantifier> get_samples_max_count=<max number of events to be sampled in get samples mode> max_runtime=<max runtime in seconds> regex_expression=<if mode is test_model, the regex expression to test> model_type=<if mode is test_model, the model type to test, valid options are: inclusive|exclusive> model_name=<if mode is test_model, the model name to test> sourcetype_scope=<if mode is test_model, the sourcetype scope to test>
comment1 = \
    This example performs the mass data sampling main job
example1 = \
    | trackmesamplingexecutor tenant_id="my_tenant"
shortdesc = TrackMe Data Sampling mass executor job
usage = public
tags = trackme

# The Elastic Sources shared mass executor
[trackmeelasticexecutor-command]
syntax = | trackmeelasticexecutor tenant_id=<Tenant idenfitier> component=<TrackMe component> margin_sec=<the time in seconds to be used as margin when calculating the max runtime of the job depending on its cron schedule> max_concurrent_searches=<the maximum number of concurrent searches to be executed>
description = \
    This command is the TrackMe Elastic Sources shared mass job executor \
    Syntax: \
    | trackmeelasticexecutor tenant_id=<Tenant idenfitier> component=<TrackMe component> margin_sec=<the time in seconds to be used as margin when calculating the max runtime of the job depending on its cron schedule> max_concurrent_searches=<the maximum number of concurrent searches to be executed>
comment1 = \
    This example performs the Elastic Sources shared mass main job
example1 = \
    | trackmeelasticexecutor tenant_id="mytenant" component="dsm"
shortdesc = TrackMe Elastic Sources shared mass executor job
usage = public
tags = trackme

# Performs the controled and monitored execution of a Trackme tracker
[trackmetrackerexecutor-command]
syntax = | trackmetrackerexecutor tenant_id=<Tenant idenfitier> component=<Trackme component> report=<Splunk report name> args=<optional arguments for the report> earliest=<earliest quantifier> latest=<latest quantifier> alert_no_results=<alert if no results are found, valid options: True|False (default True)> force_savedsearch_execmode=<force execution mode to be savedsearch, valid options: True|False (default False)>
description = \
    This command is a Python wrapper to execute TrackMe trackers jobs in a controled and monitored manner \
    Syntax: \
    | trackmetrackerexecutor tenant_id=<Tenant idenfitier> component=<Trackme component> report=<Splunk report name> args=<optional arguments for the report> earliest=<earliest quantifier> latest=<latest quantifier> alert_no_results=<alert if no results are found, valid options: True|False (default True)> force_savedsearch_execmode=<force execution mode to be savedsearch, valid options: True|False (default False)>
comment1 = \
    This is an example of a TrackMe tracker execution.
example1 = \
    | trackmetrackerexecutor tenant_id="mytenant" component="splk-dsm" report="trackme_dsm_hybrid_tracker-39858981_wrapper_tenant_feeds-secops" earliest="-4h" latest="+4h"
shortdesc = Python wrapper to execute TrackMe trackers jobs in a controled and monitored manner
usage = public
tags = trackme

# Load the TrackMe tenant root content
[trackmeload-command]
syntax = | trackmeload  mode=<mode, valid options: full|expanded>
description = \
    This command retrieves the tenant root content, depending on the roles membership from the user running the command \
    Syntax: \
    | trackmeload mode=<mode, valid options: full|expanded>
comment1 = \
    This example retrieves the tenant JSON data according to the user's roles membership
example1 = \
    | trackmeload
shortdesc = Python wrapper to retrieve the tenant JSON data according to RBAC
usage = public
tags = trackme

# Load the TrackMe tenant status summary
[trackmetenantstatus-command]
syntax = | trackmetenantstatus tenant_id=<optional: the tenant identifier> output=<optional: return the status record, or the list of RBAC filtered tenants, valid options: status | tenants>
description = \
    This command retrieves the tenants status summary data, and renders to be investigated easily in Splunk \
    Syntax: \
    | trackmetenantstatus tenant_id=<optional: the tenant identifier> output=<optional: return the status record, or the list of RBAC filtered tenants, valid options: status | tenants>
comment1 = \
    This example retrieve the summary status data for all tenants
example1 = \
    | trackmetenantstatus output="status"
shortdesc = Python wrapper to retrieve tenants status summary data
usage = public
tags = trackme

# get flipping events
[trackmesplkgetflipping-command]
syntax = | trackmesplkgetflipping tenant_id=<the tenant identifier> object_category=<the object category>
description = \
    This command is used to generate flipping status events using the TrackMe libs trackme_audit_flip function \
    Syntax: \
    | trackmesplkgetflipping tenant_id=the tenant identifier> object_category=<the object category> | spath | fields - _raw
comment1 = \
    This example filters the blocklist for splk-dsm
example1 = \
    | trackmesplkgetflipping tenant_id="mytenant" object_category="splk-dsm" | spath | fields - _raw
shortdesc = Generate flipping statuses events
usage = public
tags = trackme

# get flipping events
[trackmeacktracker-command]
syntax = | trackmeacktracker tenant_id=<Optional, the tenant identifier> action=<Optional, the action, valid options are: ack_expired | force_expire_all_ack>
description = \
    This command is used to manage the Acknowledgment expiration, it is a generating command which will read all Ack collections and expire acknowlegements records as needed \
    Syntax: \
    | trackmeacktracker tenant_id=<Optional, the tenant identifier> action=<Optional, the action, valid options are: ack_expired | force_expire_all_ack>
comment1 = \
    This example manages acknowlegements expiration for all tenants
example1 = \
    | trackmeacktracker
shortdesc = Handles the acknowlegment expiration for tenant collections
usage = public
tags = trackme

# manually generate a new notable event
[trackmegennotable-command]
syntax = | savedsearch <Trackme alert name> | trackmegennotable notable_title=<Optional, the value of the notable title (source Metadata), defaults to trackme:notable if not specified>
description = \
    This streaming command can be used to manually generate a new notable event \
    Syntax: \
    | savedsearch <Trackme alert name> | trackmegennotable notable_title=<Optional, the value of the notable title (source Metadata), defaults to trackme:notable if not specified>
comment1 = \
    This example generate a new notable event
example1 = \
    | savedsearch "TrackMe alert tenant_id:mytenant - Alert custom on data_source" | trackmegennotable
shortdesc = Manually generate a new TrackMe notable event
usage = public
tags = trackme

# TrackMe streaming summary events custom command
[trackmecollect-command]
syntax = | trackmecollect index=<Optional, index target for the summary events, if unspecified the app configuration level value will be used> source=<Optional, source Metadata value for the summary events, defaults to trackme:state> sourcetype=<Optional, sourcetype Metadata value for the summary events, defaults to trackme:state>
description = \
    This streaming command can be used to manually generate a new notable event \
    Syntax: \
    | trackmecollect index=<Optional, index target for the summary events, if unspecified the app configuration level value will be used> source=<Optional, source Metadata value for the summary events, defaults to trackme:summary> sourcetype=<Optional, sourcetype Metadata value for the summary events, defaults to trackme:state>
comment1 = \
    This example generate a new notable event
example1 = \
    | trackmecollect index="trackme_summary" source="current_state_tracking:splk-dsm:mytenant" sourcetype="trackme:state"
shortdesc = Generate and index TrackMe summary events
usage = public
tags = trackme

# TrackMe generating health tracker custom command
[trackmetrackerhealth-command]
syntax = | trackmetrackerhealth tenant_id=<tenant identifier> get_acl=<boolean, retrieve ACLs information for the tenant knowledge objects, disabled by default as this can generate more rest traffic and load>
description = \
    This generating command is designed to execute the health tracker component for the tenant \
    Syntax: \
    | trackmetrackerhealth tenant_id=<tenant identifier> get_acl=<boolean, retrieve ACLs information for the tenant knowledge objects, disabled by default as this can generate more rest traffic and load>
comment1 = \
    This example tracks the health of the tenant
example1 = \
    | trackmetrackerhealth tenant_id="mytenant" get_acl=True
shortdesc = Tracks the health status of a TrackMe tenant
usage = public
tags = trackme

# Streaming command to load and pretty print json fields
[trackmeprettyjson-command]
syntax = | trackmeprettyjson fields=<command separated list of fields to pretty print JSON> remove_nonpositive_num=<boolean> remove_null=<boolean> merge=<if multiple fields provided, merge into a single metrics field, True|False> merge_field_target=<if merge, defines the field target>
description = \
    This streaming command can be used to pretty print a list of JSON fields \
    Syntax: \
    | trackmeprettyjson fields=<command separated list of fields to pretty print JSON> remove_nonpositive_num=<boolean> remove_null=<boolean> merge=<if multiple fields provided, merge into a single metrics field, True|False> merge_field_target=<if merge, defines the field target>
comment1 = \
    This example pretty prints the field job_component_register
example1 = \
    | trackmeprettyjson fields="job_component_register"
shortdesc = Pretty print a list of JSON fields
usage = public
tags = trackme

# Generating command to yield a JSON value
[trackmeyieldjson-command]
syntax = | trackmeyieldjson json_value=<JSON value>
description = \
    This generating command can be used to yield a JSON value \
    Syntax: \
    | trackmeyieldjson json_value=<JSON value>
comment1 = \
    This example yields a JSON value
example1 = \
    | trackmeyieldjson json_value="{\"key1\": \"value1\", \"key2\": \"value2\"}"
shortdesc = Yield a JSON value
usage = public
tags = trackme

# Streaming command to expand the job component register
[trackmeopsstatusexpand-command]
syntax = | trackmeopsstatusexpand
description = \
    This command retrieves and expands the job component register \
    Syntax: \
    | trackmeopsstatusexpand
comment1 = \
    This command retrieves and expands the job component register
example1 = \
    | trackmeopsstatusexpand
shortdesc = Retrieve and expand the job component register
usage = public
tags = trackme

# Streaming command to set splk outliers rules
[trackmesplkoutlierssetrules-command]
syntax = | trackmesplkoutlierssetrules tenant_id=<tenant_id> component=<component>
description = \
    This streaming command is called to generate the splk outliers rules \
    Syntax: \
    | trackmesplkoutlierssetrules tenant_id=<tenant_id> component=<component>
comment1 = \
    This example generates splk outliers rules for splk-dsm
example1 = \
    | trackmesplkoutlierssetrules tenant_id="mytenant" object_category="dsm"
shortdesc = Generates the splk outliers rules
usage = public
tags = trackme

# Generating command to train machine learning outliers models for a given entity
[trackmesplkoutlierstrain-command]
syntax = | trackmesplkoutlierstrain tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id> model_id=<Optional, filter on a model_id> mode=<live|simulation> model_json_def=<The JSON model for simulation>
description = \
    This generating command is called to train the Machine Learning outliers detections models for a given entity \
    Syntax: \
    | trackmesplkoutlierstrain tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id> model_id=<Optional, filter on a model_id> mode=<live|simulation> model_json_def=<The JSON model for simulation>
comment1 = \
    This example trains defined Machine Learning models for a given entity
example1 = \
    | trackmesplkoutlierstrain tenant_id="mytenant" component="dsm" object="my_entity"
example2 = \
    | trackmesplkoutlierstrain tenant_id="mytenant" component="dsm" object_id="abc123"
shortdesc = Train the splk outliers Machine Learning models
usage = public
tags = trackme

# Generating command to render machine learning outliers for a given entity and a given trained model
[trackmesplkoutliersrender-command]
syntax = | trackmesplkoutliersrender tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id> model_id=<Optional, filter on a model_id> earliest=<earliest quantifier> latest=<latest quantifier> lowerbound_negative=<True|False boolean, allow/deny negative lowerBound> auto_correct=<True|False boolean, enable or disable auto threshold correction> mode=<live|simulation> model_json_def=<The JSON model for simulation> allow_auto_train=<True|False, allows automated training if last train is out of date, defaults to False>
description = \
    This generating command is called to render the Machine Learning outliers detections for a given entity and a given trained model \
    Syntax: \
    | trackmesplkoutliersrender tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id> model_id=<Optional, filter on a model_id> earliest=<earliest quantifier> latest=<latest quantifier> auto_correct=<True|False boolean, enable or disable auto threshold correction> mode=<live|simulation> model_json_def=<The JSON model for simulation> allow_auto_train=<True|False, allows automated training if last train is out of date, defaults to False>
comment1 = \
    This example renders trained Machine Learning outliers for a given entity
example1 = \
    | trackmesplkoutliersrender tenant_id="mytenant" component="dsm" object="my_entity" earliest="-7d" latest="now"
example2 = \
    | trackmesplkoutliersrender tenant_id="mytenant" component="dsm" object_id="a23302f92eac2435ad33dba5237bb9e5feed3d6be819cfeb7b88f2c55bc35edd" earliest="-7d" latest="now"
shortdesc = Render the splk outliers Machine Learning results
usage = public
tags = trackme

# Generating command to render entities rules
[trackmesplkoutliersgetrules-command]
syntax = | trackmesplkoutliersgetrules tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id> model_id=<Optional, filter on a model_id>
description = \
    This generating command is called to render the Machine Learning outliers detections rules \
    Syntax: \
    | trackmesplkoutliersgetrules tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id> model_id=<Optional, filter on a model_id>
comment1 = \
    This example renders Machine Learning outliers rules for a given entity
example1 = \
    | trackmesplkoutliersgetrules tenant_id="mytenant" component="dsm" object="my_entity"
example2 = \
    | trackmesplkoutliersgetrules tenant_id="mytenant" component="dsm" object_id="a23302f92eac2435ad33dba5237bb9e5feed3d6be819cfeb7b88f2c55bc35edd"
shortdesc = Render the splk outliers Machine Learning rules
usage = public
tags = trackme

# Generating command to render entities data
[trackmesplkoutliersgetdata-command]
syntax = | trackmesplkoutliersgetdata tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id>
description = \
    This generating command is called to render the Machine Learning outliers detections data \
    Syntax: \
    | trackmesplkoutliersgetdata tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id>
comment1 = \
    This example renders Machine Learning outliers data for a given entity
example1 = \
    | trackmesplkoutliersgetdata tenant_id="mytenant" component="dsm" object="my_entity"
example2 = \
    | trackmesplkoutliersgetdata tenant_id="mytenant" component="dsm" object_id="a23302f92eac2435ad33dba5237bb9e5feed3d6be819cfeb7b88f2c55bc35edd"
shortdesc = Render the splk outliers Machine Learning data
usage = public
tags = trackme

# Generating command executing regular training of the entities ML models
[trackmesplkoutlierstrainhelper-command]
syntax = | trackmesplkoutlierstrainhelper tenant_id=<tenant_id> component=<component> max_runtime_sec=<max runtime for the job in seconds>
description = \
    This generating command is called to train and maintain Machine Learning models for TrackMe entities \
    Syntax: \
    | trackmesplkoutlierstrainhelper tenant_id=<tenant_id> component=<component> max_runtime_sec=<max runtime for the job in seconds>
comment1 = \
    This example renders Machine Learning outliers rules for a given entity
example1 = \
    | trackmesplkoutlierstrainhelper tenant_id="mytenant" component="dsm"
shortdesc = Machine Learning models training executor
usage = public
tags = trackme

# Generating command rendering current outliers statuses for the tenant entities
[trackmesplkoutlierstrackerhelper-command]
syntax = | trackmesplkoutlierstrackerhelper tenant_id=<tenant_id> component=<component> object=<Optional, specify an object> object_id=<Optional, specify an object_id> max_runtime=<max runtime of the job in seconds, optional and defaults to 600> force_run=<True|False (default False), if True, do not honour minimal amount of time between two monitor executions> allow_auto_train=<True|False, allows automated training if last train is out of date, defaults to False>
description = \
    This generating command is called to track the current outliers statuses for models defined in the tenant's entities \
    Syntax: \
    | trackmesplkoutlierstrackerhelper tenant_id=<tenant_id> component=<component> object=<Optional, specify an object> object_id=<Optional, specify an object_id> max_runtime=<max runtime of the job in seconds, optional and defaults to 600> force_run=<True|False (default False), if True, do not honour minimal amount of time between two monitor executions> allow_auto_train=<True|False, allows automated training if last train is out of date, defaults to False>
comment1 = \
    This example tracks the outliers status for all models defined in tenant's entities
example1 = \
    | trackmesplkoutlierstrackerhelper tenant_id="mytenant" component="dsm" max_runtime="600"
example2 = \
    | trackmesplkoutlierstrackerhelper tenant_id="mytenant" component="dsm" object_id="abc123" force_run="True"
shortdesc = Machine Learning models tracking executor
usage = public
tags = trackme

# Generating command used to generate search filtering expressions according to allow / block lists of the tenants depending on the context
[trackmeblocklistgen-command]
syntax = | trackmeblocklistgen tenant_id=<tenant_id> component=<component> regex=<true|false - filter on non regex or regex based records> addprefix=<Add a prefix, optional> fields=<Comma separated list of fields, optional> target=<allowlist | blocklist> store_cache=<Store the result in a KVstore cache for fast usage, true|false>
description = \
    This generating command is called to generate filtering expressions according to the tenant and component data set configuration \
    Syntax: \
    | trackmeblocklistgen tenant_id=<tenant_id> component=<component> regex=<true|false - filter on non regex or regex based records> addprefix=<Add a prefix, optional> fields=<Comma separated list of fields, optional> target=<allowlist | blocklist> store_cache=<Store the result in a KVstore cache for fast usage, true|false>
comment1 = \
    This example tracks the outliers status for all models defined in tenant's entities
example1 = \
    | trackmeblocklistgen tenant_id="mytenant" component="dsm" regex="false" target="allowlist"
shortdesc = BlockList filtering expression generator
usage = public
tags = trackme

# Generating command to automatically get the API endpoints documentation
[trackmeapiautodocs-command]
syntax = | trackmeapiautodocs target=<the type of endpoints, valid options are: groups | endpoints>
description = \
    This generating command automatically generate the list of API endpoints per resource group and lists its configuration information and examples \
    Syntax: \
    | trackmeapiautodocs target=<the type of endpoints, valid options are: groups | endpoints>
comment1 = \
    This example list all API endpoints with their associated documentation
example1 = \
    | trackmeapiautodocs target="endpoints"
shortdesc = TrackMe API documentation auto-generator
usage = public
tags = trackme

# Generating command to parse search results for splk-flx component
[trackmesplkflxparse-command]
syntax = | trackmesplkflxparse tenant_id=<tenant_id> context=<live|simulation> remove_raw=<true|false> remove_time=<true|false>
description = \
    This streaming custom command is designed to parse search results for the purposes of the splk-flx component \
    Syntax: \
    <upstream search> | trackmesplkflxparse tenant_id=<tenant_id> context=<live|simulation> remove_raw=<true|false> remove_time=<true|false>
comment1 = \
    This example parses upstream search results for the splk-flx component
example1 = \
    | trackmesplkflxparse tenant_id="mytenant"
shortdesc = TrackMe Splk Flex Objects tracking search parser
usage = public
tags = trackme

# Generating command for spk-flx converging
[trackmesplkflxconverging-command]
syntax = | trackmesplkflxconverging tenants_scope=<comma separated lists of tenants where entities should be sourced from> object=<object> object_description=<object description> group=<group> root_constraint=<root constraint> consider_orange_as_up=<True|False> remove_extra_attributes=<true|false> min_pct_for_green=<minimum percentage of availability required for the status to be green (1). Default is 100>
description = \
    This generating command is designed to parse search results for the purposes of the splk-flx component and converging trackers \
    Syntax: \
    | trackmesplkflxconverging tenants_scope=<comma separated lists of tenants where entities should be sourced from> object=<object> object_description=<object description> group=<group> root_constraint=<root constraint> consider_orange_as_up=<True|False> remove_extra_attributes=<true|false> min_pct_for_green=<minimum percentage of availability required for the status to be green (1). Default is 100>
comment1 = \
    This example shows the converging trackers for the splk-flx component
example1 = \
    | trackmesplkflxconverging tenants_scope="mytenant1,mytenant2" object="sla-service-demo" object_description="Datamodels correlated KPI" group="datamodels" root_constraint="group=datamodels" consider_orange_as_up=True
shortdesc = TrackMe Splk Flex Objects converging tracking search parser
usage = public
tags = trackme

# Simple utility to extract stats for splk-dhm 
[trackmestsummarysplkdhm-command]
syntax = | trackmestsummarysplkdhm
description = \
    This streaming custom command is designed to extract statistics from the dictionnary for splk-dhm entities \
    Syntax: \
    | trackmestsummarysplkdhm
comment1 = \
    This example retrieves the tenant JSON data according to the user's roles membership
example1 = \
    | trackmestsummarysplkdhm
shortdesc = Python wrapper to extract statistics from the dictionnary for splk-dhm
usage = public
tags = trackme

# Streaming command to check and preserve persistent fields from conflicting updates, as well as optionally inserting and updating records in the KVstore collection
[trackmepersistentfields-command]
syntax = | trackmepersistentfields collection=<collection> key=<key field> update_collection=<update or insert in the collection as needed>
description = \
    This streaming custom command is designed to protect TrackMe persistent fields from conficting updates, as well as optionally replacing the Splunk outputlookup command \
    Syntax: \
    | trackmepersistentfields collection=<collection> key=<key field> update_collection=<update or insert in the collection as needed>
comment1 = \
    This example is called by TrackMe in the outputlookup macro
example1 = \
    | trackmepersistentfields collection="$collection$" key="$key$" update_collection="True"
shortdesc = Python wrapper to prevent conflicting updates of TrackMe persistent fields, which can as well replace outputlookup
usage = public
tags = trackme

# Generating command to parse search results for splk-wlk component
[trackmesplkwlkparse-command]
syntax = | trackmesplkwlkparse tenant_id=<tenant_id> context=<live|simulation> overgroup=<use the overgroup to override the grouping per app , optional> check_last_seen=<true|false> check_last_seen_field=<field name>
description = \
    This streaming custom command is designed to parse search results for the purposes of the splk-wlk component \
    Syntax: \
    <upstream search> | trackmesplkwlkparse tenant_id=<tenant_id> context=<live|simulation> overgroup=<use the overgroup to override the grouping per app , optional> check_last_seen=<true|false> check_last_seen_field=<field name>
comment1 = \
    This example parses upstream search results for the splk-wlk component
example1 = \
    | trackmesplkwlkparse tenant_id="mytenant"
shortdesc = TrackMe Splk Workload search parser
usage = public
tags = trackme

# Streaming command to load a list of fields and stored these and their value into a JSON formated field name metrics
[trackmegenjsonmetrics-command]
syntax = | trackmegenjsonmetrics fields=<command separated list of fields to include in the metrics field> add_root_label=<If submitted, generate a label with this value and store metrics into a sub-object> target=<Target field name> add_prefix=<Optionally as a prefix to the name of the fields> suppress_suffix=<Suppress the provided suffix from field names>
description = \
    This streaming command can be used to generate a JSON formated field name metrics taking in input a list of fields \
    Syntax: \
    | trackmegenjsonmetrics fields=<command separated list of fields to include in the metrics field> add_root_label=<If submitted, generate a label with this value and store metrics into a sub-object> target=<Target field name> add_prefix=<Optionally as a prefix to the name of the fields> suppress_suffix=<Suppress the provided suffix from field names>
comment1 = \
    This example generates the metrics field for the splk-wlk component for the scheduler
example1 = \
    | trackmegenjsonmetrics fields="scheduler.count_completed,scheduler.count_execution,scheduler.count_skipped,scheduler.skipped_pct"
shortdesc = Generates a JSON formated metrics field from a comma separated list of fields
usage = public
tags = trackme

# Streaming command to retrieve saved searches metadata
[trackmesplkwlkgetreportsdefstream-command]
syntax = | trackmesplkwlkgetreportsdefstream tenant_id=<tenant_id> context=<context, live|simulation> register_component=<register the component, True|False> report=<name of the report> check_orphan=<check the orphan status, True|False> max_runtime_sec=<max runtime job in seconds> filters_get_last_updates=<An optional search string to restrict the Search Head tiers when looking at the last updates of savedsearches (to identify who modified a search and when), defaults to host=*>
description = \
    This streaming custom command is designed to retrieve Splunk saved searches metadata from upstream results \
    Syntax: \
    | trackmesplkwlkgetreportsdefstream tenant_id=<tenant_id> context=<context, live|simulation> register_component=<register the component, True|False> report=<name of the report> check_orphan=<check the orphan status, True|False> max_runtime_sec=<max runtime job in seconds> filters_get_last_updates=<An optional search string to restrict the Search Head tiers when looking at the last updates of savedsearches (to identify who modified a search and when), defaults to host=*>
comment1 = \
    This example retrieves Splunk saved searches metadata from upstream results
example1 = \
    | trackmesplkwlkgetreportsdefstream tenant_id="mytenant"
shortdesc = Python wrapper to retrieve Splunk saved searches metadata from upstream results in a streaming manner
usage = public
tags = trackme

# Streaming command to verify the user owner of saved searches and dynamically retrieve the owner if not available in upstream results
[trackmesplkwlkgetreportowner-command]
syntax = | trackmesplkwlkgetreportowner tenant_id=<tenant_id>
description = \
    This streaming custom command is designed to retrieve the Splunk user owner from upstream results \
    Syntax: \
    | trackmesplkwlkgetreportowner tenant_id=<tenant_id>
comment1 = \
    This example retrieves the user owner from upstream results
example1 = \
    | trackmesplkwlkgetreportowner tenant_id="mytenant"
shortdesc = Python wrapper to retrieve Splunk saved searches user owner from upstream results in a streaming manner
usage = public
tags = trackme

# Generating command to retrieve saved searches metadata
[trackmesplkwlkgetreportsdefgen-command]
syntax = | trackmesplkwlkgetreportsdefgen tenant_id=<tenant_id> object_name=<object_name> object_id=<object_id>
description = \
    This generating custom command is designed to retrieve Splunk saved searches metadata for a specific search \
    Syntax: \
    | trackmesplkwlkgetreportsdefgen tenant_id=<tenant_id> object_name=<object_name> object_id=<object_id>
comment1 = \
    This example retrieves Splunk saved searches metadata from TrackMe's store for a specific search
example1 = \
    | trackmesplkwlkgetreportsdefgen tenant_id="mytenant" object_name=<myuser:myapp:mysavedsearch>
shortdesc = Python wrapper to retrieve Splunk saved searches metadata for a specific search in a generating manner

# Generating command to manage splk-wlk records to be purged
[trackmesplkwlkinactiveinspector-command]
syntax = | trackmesplkwlkinactiveinspector tenant_id=<tenant_id> context=<context, live|simulation> report=<name of the report> max_days_since_inactivity=<max days of inactivity before being purged> register_component=<enable registering exceptions in the component>
description = \
    The generating command is used to purge inactive entities in the Splunk Workload component \
    Syntax: \
    | trackmesplkwlkinactiveinspector tenant_id=<tenant_id> context=<context, live|simulation> report=<name of the report> max_days_since_inactivity=<max days of inactivity before being purged> register_component=<enable registering exceptions in the component>
comment1 = \
    This generating command is used to maintain splk-wlk records to be purged
example1 = \
    | trackmesplkwlkinactiveinspector tenant_id="mytenant"
shortdesc = Python wrapper to to load and purge inactive records in Splunk Workload
usage = public
tags = trackme

# Streaming command to extract metrics from the JSON object
[trackmeextractjsonmetrics-command]
syntax = | trackmeextractjsonmetrics fields=<comma separated list of fields>
description = \
    The streaming command extract all metrics from a JSON objects and add these to the output stream \
    Syntax: \
    | trackmeextractjsonmetrics fields=<comma separated list of fields>
comment1 = \
    This streaming command is used to extract metrics from a JSON object
example1 = \
    | trackmeextractjsonmetrics fields="metrics"
shortdesc = Python wrapper to extract JSON metrics and add to the output stream
usage = public
tags = trackme

# Streaming command utility for splk-dhm to extract and render the sourcetype summary JSON data
[trackmeextractsplkdhm-command]
syntax = | trackmeextractsplkdhm field_current=<comma separated list of fields> mode=<rendering mode, compact|full|both> tenant_id=<tenant identifier, used with gen_metrics=True> gen_metrics=<Generate metrics, True or False>
description = \
    This streaming command is a command utility for splk-dhm to extract and render summary sourcetypes information \
    Syntax: \
    | trackmeextractsplkdhm field_current=<comma separated list of fields> mode=<rendering mode, compact|full|both> tenant_id=<tenant identifier, used with gen_metrics=True> gen_metrics=<Generate metrics, True or False>
comment1 = \
    This streaming command is used by the splk-dhm component to render the sourcetype summary
example1 = \
    | trackmeextractsplkdhm field_current="splk_dhm_st_summary" mode="both"
shortdesc = Python wrapper to extract and render sourcetype summary for splk-dhm
usage = public
tags = trackme

# Streaming command utility for splk-mhm to extract and render the metrics summary JSON data
[trackmeextractsplkmhm-command]
syntax = | trackmeextractsplkmhm field_current=<comma separated list of fields> mode=<rendering mode, compact|full|both> tenant_id=<tenant identifier, used with gen_metrics=True> gen_metrics=<Generate metrics, True or False>
description = \
    This streaming command is a command utility for splk-mhm to extract and render summary sourcetypes information \
    Syntax: \
    | trackmeextractsplkmhm field_current=<comma separated list of fields> mode=<rendering mode, compact|full|both> tenant_id=<tenant identifier, used with gen_metrics=True> gen_metrics=<Generate metrics, True or False>
comment1 = \
    This streaming command is used by the splk-mhm component to render the sourcetype summary
example1 = \
    | trackmeextractsplkmhm field_current="metric_details" mode="both"
shortdesc = Python wrapper to extract and render sourcetype summary for splk-mhm
usage = public
tags = trackme

# Streaming command replica utility, to replicate and sync a source and target collection for replica tenants
[trackmereplicator-command]
syntax = | trackmereplicator component=<component name> source_tenant_id=<source tenant_id> target_tenant_id=<target tenant_id> key_field=<field cotaining the KVstore key>
description = \
    This streaming command is a command sync utility to maintain a replica tenant_id collection for TrackMe \
    Syntax: \
    | trackmereplicator component=<component name> source_tenant_id=<source tenant_id> target_tenant_id=<target tenant_id> key_field=<field cotaining the KVstore key>
comment1 = \
    This streaming command is used to maintain a replica Virtual Tenant collection for a given source and target tenant, and a given component
example1 = \
    | trackmereplicator component=<component name> source_tenant_id="my_source_tenant" target_tenant_id="my_target_tenant" key_field="key"
shortdesc = Python wrapper to replicate and sync a KVstore collection for a replica Virtual Tenant
usage = public
tags = trackme

# Generating command to orchestrate the execution of replica trackers
[trackmereplicaexecutor-command]
syntax = | trackmereplicaexecutor tenants_filter_list=<optional comma seperated list of tenants to be processed, use * for all> max_runtime_sec=<max allowed run time> 
description = \
    This generating custom command is used by TrackMe to orchestrate the execution of replica trackers \
    Syntax: \
    | trackmereplicaexecutor tenants_filter_list=<optional comma seperated list of tenants to be processed, use * for all> max_runtime_sec=<max allowed run time> 
comment1 = \
    This command orchestrates the execution of TrackMe replica trackers
example1 = \
    | trackmereplicaexecutor tenants_filter_list="*" max_runtime_sec="300"
shortdesc = Python wrapper to orchestrate the execution of replica trackers
usage = public
tags = trackme

# Streaming command utility to automatically manage logical groups
[trackmeautogroup-command]
syntax = | trackmeautogroup tenant_id=<tenant_id> purge_single_member_grp=<purge the group if there only one member left, True|False>
description = \
    This streaming command is an utility to automatically create and manage logical groups based on a upstream list of results, \
    providing the following fields: object_group_name (name of the group), object_group_members (multi-value field listing the members of the group)
    Syntax: \
    | trackmeautogroup tenant_id=<tenant_id> purge_single_member_grp=<purge the group if there only one member left, True|False>
comment1 = \
    This streaming command is a utility to create and manage logical groups based on a upstream logic
example1 = \
    | trackmeautogroup component=<component name> source_tenant_id="my_source_tenant" target_tenant_id="my_target_tenant" key_field="key"
shortdesc = Python wrapper to automatically manage auto grouping of entities in logical groups
usage = public
tags = trackme

# Runs a TrackMe report for the purposes of executing TrackMe trackers by admin as the system user rather than the requester
[trackmeoneshotexecutor-command]
syntax = | trackmeoneshotexecutor tenant_id=<Tenant idenfitier> report=<The TrackMe report> earliest=<earliest quantifier> latest=<latest quantifier> use_savedsearch_time=<use the earliest and latest times of the savedsearch instead of the searchinfo earliest and latest times, True|False>
description = \
    This command is designed to run a TrackMe tracker in a oneshot manner as the system user, it requires the trackmepoweroperations capability \
    Syntax: \
    | trackmeoneshotexecutor tenant_id=<Tenant idenfitier> report=<The TrackMe report> earliest=<earliest quantifier> latest=<latest quantifier> use_savedsearch_time=<use the earliest and latest times of the savedsearch instead of the searchinfo earliest and latest times, True|False>
comment1 = \
    This examples runs a TrackMe tracker
example1 = \
    | trackmeoneshotexecutor tenant_id="mytenant" report="my_tracker" earliest="-5m" latest="now"
shortdesc = Runs a TrackMe report for the purposes of executing TrackMe trackers by admin as the system user rather than the requester
usage = public
tags = trackme

# Generating command listing Flex Object use cases
[trackmesplkflxgetuc-command]
syntax = | trackmesplkflxgetuc
description = \
    This generating command lists use cases available from the Flex Objects library, \
    Syntax: \
    | trackmesplkflxgetuc
comment1 = \
    This generating command lists use cases from the Flex Objects library
example1 = \
    | trackmesplkflxgetuc component=<component name> source_tenant_id="my_source_tenant" target_tenant_id="my_target_tenant" key_field="key"
shortdesc = List use cases from the Flex Objects library
usage = public
tags = trackme

# Generating command to manage splk-flx inactive entities
[trackmesplkflxinactiveinspector-command]
syntax = | trackmesplkflxinactiveinspector tenant_id=<tenant_id> context=<context, live|simulation> report=<name of the report> max_days_since_inactivity_before_purge=<max days of inactivity before being purged> register_component=<enable registering exceptions in the component>
description = \
    The generating command is used to manage and purge inactive entities in the Splunk Flex Object component \
    Syntax: \
    | trackmesplkflxinactiveinspector tenant_id=<tenant_id> context=<context, live|simulation> report=<name of the report> max_days_since_inactivity_before_purge=<max days of inactivity before being purged> register_component=<enable registering exceptions in the component>
comment1 = \
    This generating command is used to maintain inactive splk-flx records
example1 = \
    | trackmesplkflxinactiveinspector tenant_id="mytenant"
shortdesc = Python wrapper to manage inactive entities in the Flex Object component
usage = public
tags = trackme

# Generating command to manage splk-fqm inactive entities
[trackmesplkfqminactiveinspector-command]
syntax = | trackmesplkfqminactiveinspector tenant_id=<tenant_id> context=<context, live|simulation> report=<name of the report> max_days_since_inactivity_before_purge=<max days of inactivity before being purged> register_component=<enable registering exceptions in the component>
description = \
    The generating command is used to manage and purge inactive entities in the Splunk Fields Quality component \
    Syntax: \
    | trackmesplkfqminactiveinspector tenant_id=<tenant_id> context=<context, live|simulation> report=<name of the report> max_days_since_inactivity_before_purge=<max days of inactivity before being purged> register_component=<enable registering exceptions in the component>
comment1 = \
    This generating command is used to maintain inactive splk-fqm records
example1 = \
    | trackmesplkfqminactiveinspector tenant_id="mytenant"
shortdesc = Python wrapper to manage inactive entities in the Fields Quality component
usage = public
tags = trackme

# Generating command for splk-soar integration purposes
[trackmesplksoar-command]
syntax = | trackmesplksoar soar_server=<soar_server> action=<action> action_data=<json action data> action_params=<json action parameters>
description = \
    The generating command is used is used to interract with Splunk SOAR \
    Syntax: \
    - soar_server: the name of the SOAR server as configured in the Splunk App for SOAR, \
    - action: an action in the following support list: soar_get|soar_post|soar_test_apps|soar_health_status|soar_health_memory|soar_health_load|soar_automation_broker_manage, \
    - action_data: a JSON formated object, either used by specific actions or used to perform a POST query to a SOAR endpoint \
    - action_params: a JSON formated object, used to pass additional parameters to the action \
    | trackmesplksoar soar_server=<soar_server> action=<action> action_data=<json action data>
comment1 = \
    This generating command is used to interract with Splunk SOAR
example1 = \
    | trackmesplksoar soar_server=lab action=soar_get action_data="{\"endpoint\": \"health\"}"
shortdesc = Generating command for TrackMe's Splunk SOAR integration
usage = public
tags = trackme

# Streaming command for splk-soar integration purposes
[trackmesplksoarlookup-command]
syntax = | trackmesplksoarlookup soar_server=<soar_server> endpoint_target=<endpoint_target> source_field=<source_field> dest_field_name=<dest_field_name> dest_field_definition=<dest_field_definition> definition_filter_fields=<A comma separated list of fields to retrieve from the definition>
description = \
    This streaming command can be used to interact with the SOAR API in a lookup way, so that from an id of an object, its definition can be retrieved easily in native SPL \
    Syntax: \
    - soar_server: the name of the SOAR server as configured in the Splunk App for SOAR, \
    - endpoint_target: the endpoint target for the object to lookup\
    - source_field: the name of the field containing the object id, \
    - dest_field_name: the name of the field to store the logical name of the corresponding object retrieved from this id (if any!), \
    - dest_field_definition: the name of the field to store the definition of the corresponding object retrieved from this id (if any!) \
    - definition_filter_fields: a comma separated list of fields to retrieve from the definition \
    | trackmesplksoarlookup soar_server=<soar_server> endpoint_target=<endpoint_target> source_field=<source_field> dest_field_name=<dest_field_name> dest_field_definition=<dest_field_definition> definition_filter_fields=<A comma separated list of fields to retrieve from the definition>
comment1 = \
    Lookup the definition of a SOAR object from its id in a streaming manner
example1 = \
    | makeresults | eval asset=1 | trackmesplksoarlookup soar_server=* endpoint_target=asset source_field=asset dest_field_name=asset_name dest_field_definition=asset_definition definition_filter_fields="name,description"
shortdesc = Streaming command for TrackMe's Splunk SOAR integration
usage = public
tags = trackme

# CMDB lookup integrator
[trackmesplkcmdb-command]
syntax = | trackmesplkcmdb tenant_id=<the tenant identifier> component=<the TrackMe component> object=<Optional, the object name> object_id=<Optional, the object identifier>
description = \
    This command is used for the purposes of querying a CMDB to retrieve information for a given TrackMe entity \
    Syntax: \
    | trackmesplkcmdb tenant_id=<the tenant identifier> component=<the TrackMe component> object=<Optional, the object name> object_id=<Optional, the object identifier>
comment1 = \
    This example retrieves a given entity information from your CMDB
example1 = \
    | trackmesplkcmdb component="dsm" tenant_id="mytenant" object="network:pan:traffic"
shortdesc = Query your CMDB from TrackMe
usage = public
tags = trackme

# Stateful alert pre-filtering command
[trackmestateful-command]
syntax = | trackmestateful tenant_id=<the tenant identifier>
description = \
    This generating command performs pre-filtering for stateful alerts by executing a simplified stateful alert search and applying filtering logic to ensure only valid events are yielded. \
    The command filters events based on monitored_state, maintenance mode, ack status, object_state validation, and stateful record timing constraints. \
    Syntax: \
    | trackmestateful tenant_id=<the tenant identifier>
comment1 = \
    This example pre-filters stateful alert events for a tenant, ensuring only events that should be processed are yielded
example1 = \
    | trackmestateful tenant_id="mytenant"
shortdesc = Pre-filter stateful alert events to ensure state changes are never missed
usage = public
tags = trackme

# Streaming command to expand the ML model outliers
[trackmesplkoutliersexpand-command]
syntax = | trackmesplkoutliersexpand
description = \
    This command retrieves and expands the ML Outliers models data \
    Syntax: \
    | inputlookup trackme_flx_outliers_entity_data_tenant_mytenant | trackmesplkoutliersexpand
comment1 = \
    This command retrieves and expands the ML Outliers models data
example1 = \
    | inputlookup trackme_flx_outliers_entity_data_tenant_mytenant | trackmesplkoutliersexpand
shortdesc = Streaming command to expand the ML Outliers models data
usage = public
tags = trackme

# Streaming command to expand the Flex Object extra_attributes
[trackmesplkflxexpandextra-command]
syntax = | trackmesplkflxexpandextra target=<target field name containing the list of objects stored in extra_attributes, defaults to objects>
description = \
    This command retrieves and expands the extra_attributes field for Flex Objects \
    Syntax: \
    | inputlookup trackme_flx_outliers_entity_data_tenant_mytenant | trackmesplkflxexpandextra
comment1 = \
    This command retrieves and expands the extra_attributes field for Flex Objects
example1 = \
    | inputlookup trackme_flx_outliers_entity_data_tenant_mytenant | trackmesplkflxexpandextra
shortdesc = Streaming command to expand the extra_attributes field for Flex Objects
usage = public
tags = trackme

# Streaming command to extract and define the dcount to be used for splk-dsm
[trackmesplksetcurrentdcounthost-command]
syntax = | trackmesplksetcurrentdcounthost
description = \
    This command defines the dcount host treshold for splk-dsm \
    Syntax: \
    | trackmesplksetcurrentdcounthost
comment1 = \
    This command defines the dcount host treshold for splk-dsm
example1 = \
    | inputlookup trackme_dsm_tenant_mytenant | trackmesplksetcurrentdcounthost
shortdesc = Retrieve and define the dcount host threshold for splk-dsm
usage = public
tags = trackme

# Generating command for adaptive delay inspector
[trackmesplkadaptivedelay-command]
syntax = | trackmesplkadaptivedelay tenant_id=<tenant identifier> component=<component name> min_delay_sec=<integer> min_historical_metrics_days=<integer> earliest_time_mstats=<earliest time for mstats> max_runtime=<max runtime for the job in seconds> max_auto_delay_sec=<The maximal delay value that the adaptive backend can set> max_changes_past_7days=<The maximal number of changes that can be performed in a 7 days time frame> review_period_no_days=<The relative time period for review. When entities were updated, TrackMe will review over time the behaviour and eventually adapt the threshold to take into accoount new patterns, expressed in number of days, valid options: 7, 15, 30> max_sla_percentage=<Entities with an SLA percentage greater than this value will not be processed to prevent from updating highly stable entities>
description = \
    This command inspects delayed entities for splk-feeds components and define an adaptive threshold delay value \
    Syntax: \
    | trackmesplkadaptivedelay tenant_id=<tenant identifier> component=<component name> min_delay_sec=<integer> min_historical_metrics_days=<integer> earliest_time_mstats=<earliest time for mstats> max_runtime=<max runtime for the job in seconds> max_auto_delay_sec=<The maximal delay value that the adaptive backend can set> max_changes_past_7days=<The maximal number of changes that can be performed in a 7 days time frame> review_period_no_days=<The relative time period for review. When entities were updated, TrackMe will review over time the behaviour and eventually adapt the threshold to take into accoount new patterns, expressed in number of days, valid options: 7, 15, 30> max_sla_percentage=<Entities with an SLA percentage greater than this value will not be processed to prevent from updating highly stable entities>
comment1 = \
    This command inspects delayed entities and define adaptive delay threshold
example1 = \
    | trackmesplkadaptivedelay tenant_id=01-feeds component=dsm
shortdesc = Generating command to inspect delayed entities and define adaptive delay threshold
usage = public
tags = trackme

# Generating command used to generate the search string filter for maintenance knowledge database in SLA calculations
[trackmereturnmaintenancedb-command]
syntax = | trackmereturnmaintenancedb tenant_id=<tenant identifier>
description = \
    This command generates the search string where filter for the maontenance knowledge database in SLA calculations \
    Syntax: \
    | trackmereturnmaintenancedb tenant_id=<tenant identifier>
comment1 = \
    This command returns the search string where filter for the maintenance knowledge database in SLA calculations
example1 = \
    | trackmereturnmaintenancedb tenant_id="mytenant"
shortdesc = Returns the search string where filter for the maintenance knowledge database in SLA calculations
usage = public
tags = trackme

# TrackMe decision maker backend
[trackmedecisionmaker-command]
syntax = | trackmedecisionmaker tenant_id=<tenant identifier> component=<component name>
description = \
    This streaming command is TrackMe's decision maker backend, which is used to defines entities status. \
    Syntax: \
    | trackmedecisionmaker
comment1 = \
    TrackMe decision maker defines the status of entities depending on the components and their context
example1 = \
    | trackmedecisionmaker
shortdesc = TrackMe decision maker defines the status of entities depending on the components and their context
usage = public
tags = trackme

# TrackMe splk-dsm tags tracker
[trackmesplktags-command]
syntax = | trackmesplktags tenant_id=<tenant identifier> component=<component name>
description = \
    This generating command applies the tags policies for splk-dsm, it acts as an SPL wrapper to the TrackMe REST API endpoint. \
    Syntax: \
    | trackmesplktags tenant_id=<tenant identifier> component=<component name>
comment1 = \
    TrackMe tags tracker for splk-dsm
example1 = \
    | trackmesplktags tenant_id="mytenant" component="dsm"
shortdesc = TrackMe tags tracker for splk-dsm
usage = public
tags = trackme

# TrackMe priority tracker
[trackmesplkpriority-command]
syntax = | trackmesplkpriority tenant_id=<tenant identifier> component=<component name>
description = \
    This generating command applies the priority policies, it acts as an SPL wrapper to the TrackMe REST API endpoint. \
    Syntax: \
    | trackmesplkpriority tenant_id=<tenant identifier> component=<component name>
comment1 = \
    TrackMe priority tracker
example1 = \
    | trackmesplkpriority tenant_id="mytenant" component="dsm"
shortdesc = TrackMe priority tracker
usage = public
tags = trackme

# TrackMe General Health Manager
[trackmegeneralhealthmanager-command]
syntax = | trackmegeneralhealthmanager
description = \
    This command executes TrackMe general health manager tasks \
    Syntax: \
    | trackmegeneralhealthmanager
comment1 = \
    This command executes TrackMe general health manager tasks
example1 = \
    | trackmegeneralhealthmanager
shortdesc = TrackMe General Health Manager
usage = public
tags = trackme

# TrackMe get component data with pagination for high scaling
[trackmegetcoll-command]
syntax = | trackmegetcoll tenant_id=<tenant identifier> component=<component name> mode=<the command mode, valid options are: records|stats, defaults to records> mode_view=<The mode_view, when applicable. Default is "minimal", valid options: minimal, full.> filter_key=<Optionnally filter on a given record using its key id> filter_object=<Optionnally filter on a given object name>
description = \
    This generating command retrieves records from a TrackMe KVstore collection with pagination and filtering capabilities for fast queries. \
    Syntax: \
    | trackmegetcoll tenant_id=<tenant identifier> component=<component name> mode=<the command mode, valid options are: records|stats, defaults to records> mode_view=<The mode_view, when applicable. Default is "minimal", valid options: minimal, full.> filter_key=<Optionnally filter on a given record using its key id> filter_object=<Optionnally filter on a given object name>
comment1 = \
    TrackMe get component data with pagination for high scaling
example1 = \
    | trackmegetcoll tenant_id="mytenant" component="flx"
shortdesc = TrackMe get component data with pagination for high scaling
usage = public
tags = trackme

# TrackMe perf get coll for testing purposes
[trackmegetlogicalgroups-command]
syntax = | trackmegetlogicalgroups tenant_id=<tenant identifier>
description = \
    This generating command retrieves retrieves the logical groups for verification purposes \
    Syntax: \
    | trackmegetlogicalgroups tenant_id=<tenant identifier>
comment1 = \
    TrackMe get logical groups
example1 = \
    | trackmegetlogicalgroups tenant_id="mytenant"
shortdesc = Get logical groups
usage = public
tags = trackme

# SLA class tracker wrapper
[trackmesplkslaclass-command]
syntax = | trackmesplkslaclass tenant_id=<the tenant identifier> component=<component>
description = \
    This generating command is used by the SLA tracker for the purposes of maintaining the SLA policies features.\
    Syntax: \
    | trackmesplkslaclass tenant_id=the tenant identifier> component=<component>
comment1 = \
    Example of a tracker
example1 = \
    | trackmesplkslaclass tenant_id="mytenant" component="dsm"
shortdesc = Maintains SLA policies

# Streaming command to calculate the object keyid
[trackmehashobject-command]
syntax = | trackmehashobject input_field="<field containing the object name>" output_field=<field containing the object keyid>
description = \
    This command is used to calculate the sha256 keyid derivated from object, taking in charge non unicode characters \
    Syntax: \
    | trackmehashobject input_field="<field containing the object name>" output_field=<field containing the object keyid>
comment1 = \
    This command is used to calculate the sha256 keyid derivated from object, taking in charge non unicode characters
example1 = \
    | makeresults | eval object="myobject" | trackmehashobject input_field="object" output_field="object_keyid"
shortdesc = This command is used to calculate the sha256 keyid derivated from object, taking in charge non unicode characters
usage = public
tags = trackme

# trackmemergesplkdhm - streaming
[trackmemergesplkdhm-command]
syntax = | trackmemergesplkdhm field_host=<field containing the host value> field_current=<field containing the current summary JSON> field_previous=<field containing the previous summary JSON> field_output=<field containing the output summary JSON>
description = \
    This stream custom command is used by splk-dhm to merge current and previous knowledge on a per entity basis. \
    Syntax: \
    | trackmemergesplkdhm field_host=<field containing the host value> field_current=<field containing the current summary JSON> field_previous=<field containing the previous summary JSON> field_output=<field containing the output summary JSON>
comment1 = \
    This stream custom command is used by splk-dhm to merge current and previous knowledge on a per entity basis.
example1 = \
    | trackmemergesplkdhm field_host="host" field_current="current_summary" field_previous="previous_summary"
shortdesc = This stream custom command is used by splk-dhm to merge current and previous knowledge on a per entity basis.
usage = public
tags = trackme

# trackmemergesplkmhm - streaming
[trackmemergesplkmhm-command]
syntax = | trackmemergesplkmhm field_host=<field containing the host value> field_current=<field containing the current summary JSON> field_previous=<field containing the previous summary JSON> field_output=<field containing the output summary JSON>
description = \
    This stream custom command is used by splk-mhm to merge current and previous knowledge on a per entity basis. \
    Syntax: \
    | trackmemergesplkmhm field_host=<field containing the host value> field_current=<field containing the current summary JSON> field_previous=<field containing the previous summary JSON> field_output=<field containing the output summary JSON>
comment1 = \
    This stream custom command is used by splk-mhm to merge current and previous knowledge on a per entity basis.
example1 = \
    | trackmemergesplkmhm field_host="host" field_current="current_summary" field_previous="previous_summary"
shortdesc = This stream custom command is used by splk-mhm to merge current and previous knowledge on a per entity basis.
usage = public
tags = trackme

[trackmegetkos-command]
syntax = | trackmegetkos tenant_id=<tenant identifier>
description = \
    This command is a simple generating command to retrieve the list of knowledge objects for a given tenant \
    Syntax: \
    | trackmegetkos tenant_id=<tenant identifier>
comment1 = \
    This example retrieves all knowledge objects for a given tenant
example1 = \
    | trackmegetconf tenant_id=mytenant
shortdesc = Retrieve TrackMe Virtual Tenants knowledge objects
usage = public
tags = trackme

[trackmecheckbackups-command]
syntax = | trackmecheckbackups archives_list="<comma separated list of archives>"
description = \
    This command can be used to iterate through TrackMe backup archives, check and extract detailed information including knowledge objects \
    Syntax: \
    | trackmecheckbackups archives_list="<comma separated list of archives>"
comment1 = \
    This example checks all backups archives available on the server
example1 = \
    | trackmecheckbackups archives_list="trackme-backup-20241120-223310.tgz,trackme-backup-20241119-232503.tgz"
shortdesc = Check and extract detailed information from TrackMe backup archives
usage = public
tags = trackme

# TrackMe Splunk Feeds Delayed Inspector command
[trackmesplkfeedsdelayedinspector-command]
syntax = | trackmesplkfeedsdelayedinspector tenant_id=<tenant identifier> component=<component> max_runtime=<max runtime in seconds> object_name=<object name>
description = \
    This command is designed to execute the delayed entities inspector for Splunk feeds \
    Syntax: \
    | trackmesplkfeedsdelayedinspector tenant_id=<tenant identifier> component=<component> max_runtime=<max runtime in seconds> object_name=<object name>
comment1 = \
    This example executes the delayed entities inspector for a specific tenant and component
example1 = \
    | trackmesplkfeedsdelayedinspector tenant_id="mytenant" component="splk-dsm" max_runtime=300 object_name="test_feed"
shortdesc = Execute the delayed entities inspector for Splunk feeds
usage = public
tags = trackme

# A generating command to test remote accounts
[trackmetestremoteaccounts-command]
syntax = | trackmetestremoteaccounts accounts=<comma separated list of accounts>
description = \
    This generating command is used to test remote accounts \
    Syntax: \
    | trackmetestremoteaccounts accounts=<comma separated list of accounts>
comment1 = \
    This example tests the remote accounts
example1 = \
    | trackmetestremoteaccounts accounts="myaccount,myotheraccount"
shortdesc = Test remote accounts
usage = public
tags = trackme

# TrackMe Fields Quality command
[trackmefieldsquality-command]
syntax = | trackmefieldsquality fields_to_check_list=<list of fields> fields_to_check_fieldname=<fieldname containing list> fields_to_check_dict=<JSON dictionary> fields_to_check_dict_path=<path to JSON file> fields_to_check_dict_fieldname=<fieldname containing JSON dictionary> fields_to_check_search_command=<search command to generate the dictionary of fields to check> include_field_values=<boolean> pretty_print_json=<boolean> output_mode=<json|raw> summary_fieldname=<name of the summary field> metadata_fieldname=<name of the metadata field> metadata_fields=<CSV list of metadata fields>
description = \
    This command checks the quality of fields in records based on specified criteria. It can validate fields against a list, a fieldname, a JSON dictionary, or a JSON file. Optionally, it can include field values in the output and pretty print the JSON summary. The 'output_mode' option allows specifying the format of the output, either 'json' or 'raw'. The 'summary_fieldname' option defines the name of the summary field, and the 'metadata_fieldname' option defines the name of the metadata field added to the summary JSON. The 'metadata_fields' option allows specifying additional metadata fields to include in the JSON summary. The 'time_mode' option specifies the time generation mode, with valid options being 'event' or 'now'.\
    Syntax: \
    | trackmefieldsquality fields_to_check_list=<list of fields> fields_to_check_fieldname=<fieldname containing list> fields_to_check_dict=<JSON dictionary> fields_to_check_dict_path=<path to JSON file> fields_to_check_dict_fieldname=<fieldname containing JSON dictionary> fields_to_check_search_command=<search command to generate the dictionary of fields to check> include_field_values=<boolean> pretty_print_json=<boolean> output_mode=<json|raw> summary_fieldname=<name of the summary field> metadata_fieldname=<name of the metadata field> metadata_fields=<CSV list of metadata fields>
comment1 = \
    This example checks fields quality, specifies the output mode as 'json', uses custom field names for summary and metadata, includes additional metadata fields, and sets the time mode to 'event'.
example1 = \
    | trackmefieldsquality fields_to_check_list="field1,field2" output_mode="json" summary_fieldname="custom_summary" metadata_fieldname="custom_metadata" metadata_fields="field1,field2" time_mode="event"
shortdesc = Check the quality of fields in records, specify output mode, customize field names, include additional metadata fields, and set time mode
usage = public
tags = trackme

# Streaming command to extract results from trackmefieldsquality
[trackmefieldsqualityextract-command]
syntax = | trackmefieldsqualityextract input_field=<field containing the JSON data> metadata_fieldname=<name of the metadata field>
description = \
    This command extracts results from trackmefieldsquality and creates a new record for each field. \
    Syntax: \
    | trackmefieldsqualityextract input_field=<field containing the JSON data> metadata_fieldname=<name of the metadata field>
comment1 = \
    This example extracts results from trackmefieldsquality and creates a new record for each field.
example1 = \
    | trackmefieldsqualityextract input_field="_raw" metadata_fieldname="metadata"
shortdesc = Extract results from trackmefieldsquality and create a new record for each field
usage = public
tags = trackme

# Streaming command to generate summary of trackmefieldsquality
[trackmefieldsqualitygensummary-command]
syntax = | trackmefieldsqualitygensummary maxvals=<max number of distinct values to report> fieldvalues_format=<format of field_values, either list or csv> groupby_metadata_fields=<comma separated list of metadata fields to group by in addition to fieldname>
description = \
    This command generates a summary of the quality of fields in records. \
    Syntax: \
    | trackmefieldsqualitygensummary maxvals=<max number of distinct values to report> fieldvalues_format=<format of field_values, either list or csv> groupby_metadata_fields=<comma separated list of metadata fields to group by in addition to fieldname>
comment1 = \
    This example generates a summary of the quality of fields in records.
example1 = \
    | trackmefieldsqualitygensummary maxvals=15 fieldvalues_format=csv groupby_metadata_fields="metadata.datamodel,metadata.nodename,metadata.index,metadata.sourcetype"
shortdesc = Generate summary of the quality of fields in records
usage = public
tags = trackme

# Generating command to generate the dictionary of fields to check for CIM compliance
[trackmefieldsqualitygendict-command]
syntax = | trackmefieldsqualitygendict datamodel=<datamodel name> show_only_recommended_fields=<boolean> allow_unknown=<boolean> allow_empty_or_missing=<boolean>
description = \
    This command generates the dictionary of fields to check for CIM compliance. \
    Syntax: \
    | trackmefieldsqualitygendict datamodel=<datamodel name> show_only_recommended_fields=<boolean> allow_unknown=<boolean> allow_empty_or_missing=<boolean>
comment1 = \
    This example generates the dictionary of fields to check for CIM compliance.
example1 = \
    | trackmefieldsqualitygendict datamodel="Authentication" show_only_recommended_fields=true
shortdesc = Generate the dictionary of fields to check for CIM compliance
usage = public
tags = trackme

# Streaming command to push undiscovered entities to splk-dsm
[trackmepushdatasource-command]
syntax = trackmepushdatasource tenant_id=<string> search_type=(tstats|raw) [show_search_query=<bool>] [show_search_results=<bool>] [pretend_latest=<string>] show_search_results=<bool> show_search_query=<bool> pretend_latest=<string> component=<component, dsm or dhm>
shortdesc = Pushes data source information to TrackMe splk-dsm collection.
description = Processes incoming records containing object, index, and sourcetype fields. Checks if objects exist in the KV store collection and adds missing ones. \
             The command requires a tenant_id and search_type (tstats or raw) to be specified. Optional parameters allow controlling the output format and time settings.
example1 = | inputlookup ds_expected.csv | eval object = index . ":" . sourcetype | trackmepushdatasource component=dsm search_type=tstats tenant_id=mytenant show_search_query=True show_search_results=True pretend_latest="-24h"
example2 = | inputlookup ds_expected.csv | eval object = index . ":" . sourcetype | trackmepushdatasource component=dsm search_type=tstats tenant_id=mytenant show_search_query=True show_search_results=True pretend_latest="-24h"
usage = public
tags = trackme

# Streaming command to expand tokens in a streaming fashion
[trackmeexpandtokens-command]
syntax = | trackmeexpandtokens
description = \
    This command expands tokens in a streaming fashion. \
    Syntax: \
    | trackmeexpandtokens
comment1 = \
    This example expands tokens in a streaming fashion.
example1 = | makeresults | eval user="foo", count="10" | eval result="user $user$ has done $count$ attempts" | trackmeexpandtokens
shortdesc = Expand tokens in a streaming fashion
usage = public
tags = trackme

# TrackMe Splunk Feeds Fields Quality command
[trackmesplkfqmparse-command]
syntax = | trackmesplkfqmparse tenant_id=<tenant identifier> context=<context, live or simulation> object_metadata_list=<comma separated list of metadata fields> default_threshold_fields=<default threshold for fields> default_threshold_global=<default threshold for global> max_sec_inactive=<max seconds inactive> tracker_name=<tracker name> tracker_index=<tracker index>
description = \
    This command is used to parse the fields quality of a Splunk feed. \
    Syntax: \
    | trackmesplkfqmparse tenant_id=<tenant identifier> context=<context, live or simulation> object_metadata_list=<comma separated list of metadata fields> default_threshold_fields=<default threshold for fields> default_threshold_global=<default threshold for global> max_sec_inactive=<max seconds inactive> tracker_name=<tracker name> tracker_index=<tracker index>
comment1 = \
    This example parses the fields quality of a Splunk feed.
example1 = | trackmesplkfqmparse tenant_id="mytenant" context="live" group_name_field="group_name" sub_group_name_field="sub_group_name" object_metadata_list="metadata.datamodel,metadata.nodename,metadata.index,metadata.sourcetype" default_threshold_fields=99 default_threshold_global=100 max_sec_inactive=604800 tracker_name="mytracker" tracker_index=summary
shortdesc = Parse the fields quality of a Splunk feed
usage = public
tags = trackme

# trackmeyamlpath, a streaming custom command to parse YAML in a streaming fashion
[trackmeyamlpath-command]
syntax = | trackmeyamlpath yaml_fieldname=<field containing the YAML data, default to _raw>
description = \
    This command parses YAML in a streaming fashion. \
    Syntax: \
    | trackmeyamlpath yaml_fieldname=<field containing the YAML data, default to _raw>
comment1 = \
    This example parses YAML in a streaming fashion.
example1 = | trackmeyamlpath yaml_fieldname="yaml_data"
shortdesc = Parse YAML in a streaming fashion
usage = public
tags = trackme