You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
203 lines
18 KiB
203 lines
18 KiB
[logging]
|
|
loglevel = INFO
|
|
|
|
[index_settings]
|
|
# index global search filter, a search filter which matches all TrackMe indexes
|
|
trackme_idx_search_filter = trackme_*
|
|
# index target for the notable events
|
|
trackme_notable_idx = trackme_notable
|
|
# index target for the summary events
|
|
trackme_summary_idx = trackme_summary
|
|
# index target for the metric events
|
|
trackme_metric_idx = trackme_metrics
|
|
# index target for the audit events
|
|
trackme_audit_idx = trackme_audit
|
|
|
|
[trackme_ui_defaults]
|
|
# Default color theme for unified React user interfaces (dark or light), defaults to dark
|
|
default_theme = dark
|
|
# Enable or disable auto-refresh by default for all user interfaces
|
|
auto_refresh = 1
|
|
# Show detailed priority breakdown in Virtual Tenants cards (0 = No, 1 = Yes), defaults to 0
|
|
vtenants_card_detail_level = 0
|
|
|
|
[trackme_general]
|
|
# For backends that use multi threading such as trackmepersistentfields, this setting defines the maximum number of workers that can be used to process the data in parallel. The number of workers is calculated based on the number of CPU cores available on the system and capped at this value. (formula: max_workers = cpu_cores * 2, but never more than this value) - Set to 1 to disable multi threading.
|
|
max_multi_thread_workers = 16
|
|
# This setting is used at the Virtual Tenant creation phase, once created, this setting stands at the level of the Virtual Tenant account - The pagination can be remote (server side) or local (client side), in most cases, client side would lead to more performing load time especially when filtering on entities.
|
|
pagination_mode = local
|
|
# This setting is used at the Virtual Tenant creation phase, once created, this setting stands at the level of the Virtual Tenant account - The pagination size drives the number of records per page, too many records on the same page for high scale collections can negatively impact the UI performance at load time.
|
|
pagination_size = 10000
|
|
# Define the default sharing level, app or global, when TrackMe creates knowledge objects
|
|
trackme_default_sharing = app
|
|
# Preset the default owner user in the Virtual Tenants user interfaces when creating new Virtual Tenants
|
|
trackme_owner_default = nobody
|
|
# Preset default admin / power / user roles in the Virtual Tenants user interfaces when creating new Virtual Tenants
|
|
trackme_admin_role_default = trackme_admin
|
|
trackme_power_role_default = trackme_power
|
|
trackme_user_role_default = trackme_user
|
|
# Defines the volumes of fields to be retained in the summary state events, to limit storage and license costs, since the v2.0.68 this is a minimal mode with only top key information to be retained
|
|
state_events_minimal = 1
|
|
# if minimal mode is set, this defines the list of fields in the allow list, only these fields can be part of the state events
|
|
state_events_allowlist = alias,anomaly_reason,key,object,object_category,priority,object_state,monitored_state,status_message,tags,tenant_id
|
|
# if full mode is set, this defines the list of fields in the block list, these fields will not be part of the state events
|
|
state_events_blocklist = _raw,info_max_time,info_min_time,info_search_time,info_sid,splk_dhm_st_summary,splk_dhm_st_summary_compact,splk_dhm_st_summary_full,metric_details,object_state,tracker_runtime,previous_tracker_runtime
|
|
# Enable the TrackMe Config Manager (TCM) and sets the mode, the TCM is used for CI/CD purposes, the receiver mode sends the transaction to TCM, the replay mode replays transactions from TCM
|
|
enable_conf_manager_receiver = 0
|
|
# The default expiration duration in days for StateFul Alerts in the KVstore collections
|
|
trackme_stateful_records_expiration_days = 30
|
|
# The default expiration duration in days for StateFul Charts in the KVstore collections
|
|
trackme_stateful_charts_records_expiration_days = 2
|
|
# The default acknowledgment duration in seconds to be selected as the default choice in the Ack user interface
|
|
trackme_ack_duration_default = 86400
|
|
# Automatically remove an Acknowledgment when the anomaly reason changes, applies to both sticky/unsticky Ack. If the list of anomalies has changed for a given entity and this option is enabled, TrackMe will remove the Ack if it detects that the list of anomaly conditions has changed, this can be leveraged to ensure that a new alert will be raised if the entity encounters a new or different alerting condition.
|
|
trackme_ack_remove_on_reason_change = 1
|
|
# Used in association with the change behaviour, this defines the minimal amount of time in seconds between the creation of the Ack and its expiration due to an anomaly reason change, the Ack will not expire until this minimal amount of time has been reached.
|
|
trackme_ack_remove_on_reason_change_min_time_sec = 3600
|
|
# Restrict removing Ack when the anomaly reason change depending on if the Ack was created by a user or an automated Ack by TrackMe's alert action. If set to Yes, only Auto Ack would get expired if the anomaly reason changes, User Ack would not be impacted.
|
|
trackme_ack_remove_on_reason_change_auto_ack_only = 1
|
|
# When an entity goes back to green, an acknowledgment is not remove until it has expired, set this option to True for the acknowledgment to be removed when the entity goes back to green
|
|
trackme_ack_remove_when_green = 1
|
|
# localhost MTA - Allowed email domains
|
|
allowed_email_domains =
|
|
# localhost MTA - Sender email
|
|
sender_email = splunk
|
|
# localhost MTA - Email format
|
|
email_format = html
|
|
# localhost MTA - Email footer
|
|
email_footer = This is an automated email, please do not reply directly to this email.
|
|
|
|
[splk_data_sampling]
|
|
# Minimum time in seconds between two iterations of sampling per entity
|
|
splk_data_sampling_min_time_btw_iterations_seconds = 3600
|
|
# This defines the number of records to be sampled and verified per entity during the data sampling process, increased value improves the event format recognition at the cost of more processing per entity but doesn't affect the following of records stored in the KVstore.
|
|
splk_data_sampling_no_records_per_entity = 10000
|
|
# This defines the number of records to be kept in the KVstore for inspection purposes at each iteration performed. When data sampling is performed, we will keep and store in the KVstore a sample of x records per model matched for inspection and review purposes, increasing this value will increase the amount of storage required in the KVstore. Note that this option is ignored if data sampling obfuscation is enabled at the Virtual Tenant level. (if so, raw events are not stored in the KVstore)
|
|
splk_data_sampling_no_records_saved_kvrecord = 10
|
|
# Character size limit before we truncate events when storing sampled records in the KVstore for inspection
|
|
splk_data_sampling_records_kvrecord_truncate_size = 40000
|
|
# Min inclusive model matched percentage (float)
|
|
splk_data_sampling_pct_min_major_inclusive_model_match = 98
|
|
# Max exclusive model matched percentage (float)
|
|
splk_data_sampling_pct_max_exclusive_model_match = 0
|
|
# The relative time window size in seconds
|
|
splk_data_sampling_relative_time_window_seconds = 3600
|
|
|
|
[splk_outliers_detection]
|
|
# The minimal number of days of available historical metrics for the confidence level to be considered as normal
|
|
splk_outliers_min_days_history = 7
|
|
# Duration time in seconds requested betweem two ML models training operation for a given entity (7 days by default)
|
|
splk_outliers_time_train_mlmodels_default = 604800
|
|
# Duration time in seconds requested betweem two ML models monitor operation for a given entity
|
|
splk_outliers_time_monitor_mlmodels_default = 3600
|
|
# Max run time in seconds for the ML models training job, should be defined accordingly to the cron schedule of the job
|
|
splk_outliers_max_runtime_train_mlmodels_default = 900
|
|
# When executing a rendering operation, TrackMe verifies the last time this model was trained, if this time execeds the value set here, the model will be retrained automatically before rendering. (defaults to 15 days)
|
|
splk_outliers_max_days_since_last_train_default = 15
|
|
# Enable or disable by default the volume outliers detection for a newly discovered entity, the feature can still be managed on demand per entity.
|
|
splk_outliers_detection_disable_default = 0
|
|
# The default calculation used for outliers calculation
|
|
splk_outliers_calculation_default = avg
|
|
# The default lower threshold value for density calculations
|
|
splk_outliers_density_lower_threshold_default = 0.005
|
|
# The default upper threshold value for density calculations
|
|
splk_outliers_density_upper_threshold_default = 0.005
|
|
# Alert when the lower bound threshold is breached for volume based KPIs, true by default (abnormal decrease of events)
|
|
splk_outliers_alert_lower_threshold_volume_default = 1
|
|
# Alert when the upper bound threshold is breached for volume based KPIs, false by default, depending on the context alerting on the volume increase can make sense but the only the owner can take that decision (abnormal increase of events)
|
|
splk_outliers_alert_upper_threshold_volume_default = 0
|
|
# Alert when the lower bound threshold is breached for latency based KPIs, false by default, for latency getting low is a good thing (abnormal decrease of latency)
|
|
splk_outliers_alert_lower_threshold_latency_default = 0
|
|
# Alert when the upper bound threshold is breached for latency based KPIs, true by default, abnormally high latency is obviously a bad thing (abnormal increase of latency)
|
|
splk_outliers_alert_upper_threshold_latency_default = 1
|
|
# The default time period used for outliers calculations
|
|
splk_outliers_detection_period_default = -30d
|
|
# The relative time quantifier for the latest time used by default for outliers calculations, applied during entity discovery and can be updated per entity. Defaults to now and can accept Splunk relative time quantifiers such as -1h@h.
|
|
splk_outliers_detection_period_latest_default = -1d
|
|
# The default time factor used for outliers calculations
|
|
splk_outliers_detection_timefactor_default = %H
|
|
# The default kpi metric for volume outliers detection
|
|
splk_outliers_detection_latency_kpi_metric_default = None
|
|
# The default kpi metric for volume outliers detection
|
|
splk_outliers_detection_volume_kpi_metric_default = splk.feeds.avg_eventcount_5m
|
|
# When defining the model, enable or disable auto_correct by default, which uses the concept of auto correction based on min lower and upper deviation.
|
|
splk_outliers_auto_correct = 1
|
|
# The minimal percentage of outliers deviation compared to the current KPI value for LowerBound, if an outlier is not deviant from at least this percentage, up or down, it will be considered as a false positive
|
|
splk_outliers_perc_min_lowerbound_deviation_default = 25.0
|
|
# The minimal percentage of outliers deviation compared to the current KPI value for UpperBound, if an outlier is not deviant from at least this percentage, up or down, it will be considered as a false positive
|
|
splk_outliers_perc_min_upperbound_deviation_default = 25.0
|
|
# TrackMe uses the MLTK DensityFunction algorithm, you can add custom algorithms as a comma seperated list of values, these will become selectable automatically in the different Outliers configuration screens in TrackMe.
|
|
splk_outliers_mltk_algorithms_list = DensityFunction
|
|
# If you have multiple algorithms, you can define here which algorithm should be used by default when TrackMe defines the ML models rules, which happens usually at the entities discovery, or when adding/resetting ML models.
|
|
splk_outliers_mltk_algorithms_default = DensityFunction
|
|
# You can optionally add extra parameters to be added to the MLTK fit command (training phase) at the time of the definition of the ML rules (generally when entities are discovered), for instamce: exclude_dist=\"beta\" to exclude Beta distributions for the density function, see MLTK documentation for more information.
|
|
splk_outliers_fit_extra_parameters =
|
|
# You can optionally add extra parameters to be added to the MLTK apply command (rendering phase) at the time of the definition of the ML rules (generally when entities are discovered), for instamce: sample=\"True\", see MLTK documentation for more information. Default is empty for no extra parameters.
|
|
splk_outliers_apply_extra_parameters =
|
|
# This defines the name of the bundaries extraction macro which is used when defining ML models rules, usually at the time of the entity discovery or when defining a new model.
|
|
splk_outliers_boundaries_extraction_macro_default = splk_outliers_extract_boundaries
|
|
# This defines the list of boundaries macros, if you need to define a custom macro to extract bundaries according to a custom algorithm, you can add a comma separarted list of macros which will become automatically selectable in TrackMe Outliers management screens.
|
|
splk_outliers_boundaries_extraction_macros_list = splk_outliers_extract_boundaries
|
|
# You can define a default value for the static lowerBound threshold, if defined this overrides the calculated lowerBound.
|
|
splk_outliers_static_lower_threshold_default =
|
|
# You can define a default value for the static upperBound threshold, if defined this overrides the calculated upperBound.
|
|
splk_outliers_static_upper_threshold_default =
|
|
|
|
[splk_general]
|
|
# The filter for indexers and/or heavy forwarders, this is used for views and searching looking at splunkd activity
|
|
splk_general_idx_filter = host=*
|
|
# The default threshold applied for splk-dsm based entities when discovered, defines the default threshold for events latency
|
|
splk_general_dsm_threshold_default = 3600
|
|
# The default threshold applied for splk-dsm based entities when discovered, defines the default threshold for events delay
|
|
splk_general_dsm_delay_default = 3600
|
|
# The default threshold applied for splk-dhm based entities when discovered, defines the default threshold for events latency and delay
|
|
splk_general_dhm_threshold_default = 3600
|
|
# The default threshold applied for splk-dhm based entities when discovered, defines the default threshold for events delay
|
|
splk_general_dhm_delay_default = 86400
|
|
# The defaukt treshold applied for metric based entities (splk-mhm) when discovered, defines the default threshold for metrics delay
|
|
splk_general_mhm_threshold_default = 900
|
|
# Defines the amount in negative seconds used for tolerance before we assume the data is indexed in the future
|
|
splk_general_feeds_future_tolerance = -600
|
|
# Defines the period in relative days, after which an inactive entity (not sending data actively) gets disabled automatically, set to 0d to disable the feature
|
|
splk_general_feeds_auto_disablement_period = 90d
|
|
# Defines the minimum time in seconds between inspections for the 24 hours range delayed inspector
|
|
splk_general_feeds_delayed_inspector_24hours_range_min_sec = 14400
|
|
# Defines the minimum time in seconds between inspections for the 7 days range delayed inspector
|
|
splk_general_feeds_delayed_inspector_7days_range_min_sec = 43200
|
|
# Defines the minimum time in seconds between inspections for the until disabled range delayed inspector
|
|
splk_general_feeds_delayed_inspector_until_disabled_range_min_sec = 172800
|
|
# System level number of parallel concurrent searches for Shared Elastic sources, this can be overriden on a per tenant basis using max_concurrent_searches on the Shared Elastic tracker
|
|
splk_general_elastic_max_concurrent = 3
|
|
# For the Workload component (splk-wlk), defines the list of parameters used for the version_id hash calculation (versioning), expected as a CSV list of saved searches parameters, wildcard patterns are supported. Note that changing this value leads to the re-calculation of all known object version_id values. (example adding: cron_schedule, *notable*)
|
|
splk_general_workload_version_id_keys = search,dispatch.earliest,dispatch.latest,description,cron_schedule,disabled,is_scheduled
|
|
# The default CMDB integration search for splk_dsm
|
|
splk_general_dsm_cmdb_search = | inputlookup my_cmdb where (index="$data_index$" AND sourcetype="$data_sourcetype$")
|
|
# The default CMDB integration search for splk_dhm
|
|
splk_general_dhm_cmdb_search = | inputlookup my_cmdb where (host="$alias$")
|
|
# The default CMDB integration search for splk_mhm
|
|
splk_general_mhm_cmdb_search = | inputlookup my_cmdb where (host="$alias$")
|
|
# The default CMDB integration search for splk_cim
|
|
splk_general_cim_cmdb_search = | inputlookup my_cmdb where (object="$object$")
|
|
# The default CMDB integration search for splk_flx
|
|
splk_general_flx_cmdb_search = | inputlookup my_cmdb where (object="$object$")
|
|
# The default CMDB integration search for splk_fqm
|
|
splk_general_fqm_cmdb_search = | inputlookup my_cmdb where (object="$object$")
|
|
# The default CMDB integration search for splk_wlk
|
|
splk_general_wlk_cmdb_search = | inputlookup my_cmdb where (savedsearch_name="$savedsearch_name$")
|
|
# In TrackMe's UI, you can reference a documentation note and link per entity, use this option to define a global default documentation note which can still be overriden on per entity basis but will appear as a default
|
|
splk_general_dsm_docs_note_global =
|
|
# In TrackMe's UI, you can reference a documentation note and link per entity, use this option to define a global default documentation link which can still be overriden on per entity basis but will appear as a default
|
|
splk_general_dsm_docs_link_global =
|
|
|
|
[sla]
|
|
# A JSON dictionnary which defines the list of SLA classes and their respective threshold and rank, this can be used to define different SLA classes with different thresholds, the default class is always applied to all entities.
|
|
sla_classes = {"gold": {"sla_threshold": 14400, "rank": 3}, "silver": {"sla_threshold": 86400, "rank": 2}, "platinum": {"sla_threshold": 172800, "rank": 1}}
|
|
# The default SLA class applied when discovering entities, this can be ovveriden per entity as well as with SLA policies, the default SLA class must be found in the SLA classes definition above.
|
|
sla_default_class = silver
|
|
# The frequency in seconds at which SLA breaches events are generated (sourcetype=trackme:sla_breaches), default is 604800 (7 days).
|
|
sla_breaches_events_frequency = 604800
|
|
|
|
[maintenance]
|
|
# Defines if SLA exclusions should exclude planned only, unplanned only or both planned and unplanned events.
|
|
maintenance_kdb_exclusion_behaviour = planned
|