Splunk_Deploiement/apps/trackme/default/savedsearches.conf

# savedsearches.conf

# Note: Custom timeline visualization settings have been removed. The React UI uses @splunk/visualizations/Timeline instead.
[default]

# Used for the vtenant UI to display the scheduler activity
# This search is to be executed under admin privileged (run as owner)

[trackme_scheduler_completness]
description = This non scheduled report shows the scheduler activity for the vtenant UI
dispatch.earliest_time = -15m
dispatch.latest_time = now
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
is_visible = false
search = `scheduler_completness`

[trackme_scheduler_completness_overtime]
description = This non scheduled report shows the scheduler activity over time for the vtenant UI
dispatch.earliest_time = -24h
dispatch.latest_time = now
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
is_visible = false
search = `scheduler_completness_overtime`

[trackme_scheduler_completness_pertenant]
description = This non scheduled report shows the scheduler activity per tenant for the vtenant UI
dispatch.earliest_time = -24h
dispatch.latest_time = now
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
is_visible = false
search = `scheduler_completness_per_tenant`

[trackme_internal_scheduling_ui_main_search]
description = For the internal scheduling UI (handles non privileged accesses)
dispatch.earliest_time = -24h
dispatch.latest_time = now
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
is_visible = false
search = index=_internal host="*" source=*scheduler.log status="*" NOT (status="continued" OR status=delegated*) trackme app="trackme" \
| timechart span=1d avg(run_time) AS avg_run_time, max(run_time) AS max_run_time, sum(run_time) AS sum_run_time \
| stats avg(avg_run_time) AS avg_run_time, avg(max_run_time) AS max_run_time, avg(sum_run_time) AS sum_run_time

[trackme_internal_scheduling_ui_main_table]
description = For the internal scheduling UI (handles non privileged accesses)
dispatch.earliest_time = -24h
dispatch.latest_time = now
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
is_visible = false
search = index=_internal host="*" source=*scheduler.log status="*" AND status!="continued" trackme app="trackme" \
| stats avg(run_time) AS avg_run_time, max(run_time) AS max_run_time, latest(run_time) AS latest_run_time, max(_time) AS "last_run (dd/mm/YYYY H:M:S)" by app,savedsearch_name \
| append [ | rest splunk_server=local /servicesNS/-/trackme/saved/searches | search eai:acl.app="trackme" disabled=0 | fields eai:acl.app, title, cron_schedule, schedule_window, disabled, next_scheduled_time | sort limit=0 title | rename eai:acl.app as app, title as savedsearch_name ] \
| stats first(*) as "*" by app, savedsearch_name \
| where cron_schedule!="" \
| eval "last_run (dd/mm/YYYY H:M:S)"=strftime('last_run (dd/mm/YYYY H:M:S)', "%d/%m/%Y %H:%M:%S") \
| foreach *_run_time [ eval <<FIELD>>=round('<<FIELD>>', 2) ] \
| sort - avg_run_time | rename savedsearch_name AS "report (savedsearch_name)" \
| eval duration_avg=tostring(avg_run_time, "duration"), duration_max=tostring(max_run_time, "duration"), duration_latest=tostring(latest_run_time, "duration") \
| eval "Avg run time (seconds / duration)" = avg_run_time + " sec / " + duration_avg + " (HH:MM:SSS)" \
| eval "Max run time (seconds / duration)" = max_run_time + " sec / " + duration_avg + " (HH:MM:SSS)" \
| eval "Latest run time (seconds / duration)" = latest_run_time + " sec / " + duration_avg + " (HH:MM:SSS)" \
| fields app,report*,Avg*,Max*,Latest*,"last_run (dd/mm/YYYY H:M:S)", avg_run_time, cron_schedule, disabled, next_scheduled_time, schedule_window

[trackme_internal_scheduling_ui_summary]
description = For the internal scheduling UI (handles non privileged accesses)
dispatch.earliest_time = -24h
dispatch.latest_time = now
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
is_visible = false
search = index=_internal host="*" source=*scheduler.log status="*" NOT (status="continued" OR status=delegated*) trackme app="trackme" \
| bucket _time span=5m \
| stats count AS count by _time \
| stats avg(count) AS avg_scheduled_per_5min

[trackme_internal_scheduling_ui_count]
description = For the internal scheduling UI (handles non privileged accesses)
dispatch.earliest_time = -24h
dispatch.latest_time = now
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
is_visible = false
search = (index=_internal sourcetype=scheduler app="trackme") \
| eval alert_actions=if((isnull(alert_actions) OR (alert_actions == "")),"none",alert_actions) \
| eval status=case(status=="success" OR status=="completed", "completed", status=="skipped", "skipped", status=="continued", "deferred") \
| search (status="completed" OR status="deferred" OR status="skipped") \
| stats count by status \
| sort - count \
| eventstats sum(count) AS total \
| eval percent=(round(((count / total) * 100),2) . " %") \
| fields - total \
| rename status as Status, app as App, user as User, savedsearch_name as "Report Name", alert_actions as "Alert Actions", count as Count, percent as "Percent of Total"

[trackme_internal_scheduling_ui_count_overtime]
description = For the internal scheduling UI (handles non privileged accesses)
dispatch.earliest_time = -24h
dispatch.latest_time = now
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
is_visible = false
search = (index=_internal sourcetype=scheduler app="trackme") \
| eval status=case(status=="success" OR status=="completed", "completed", status=="skipped", "skipped", status=="continued", "deferred") \
| eval alert_actions = if(isnull(alert_actions) OR alert_actions == "", "none", alert_actions) \
| search (status="completed" OR status="deferred" OR status="skipped") \
| timechart partial=f count by status

[trackme_internal_scheduling_ui_tracker_perf]
description = For the internal scheduling UI (handles non privileged accesses)
dispatch.earliest_time = -24h
dispatch.latest_time = now
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
is_visible = false
search = index=_internal (sourcetype=trackme:custom_commands:*) report=* run_time=*\
| eval report=if(sourcetype="trackme:custom_commands:trackmetrackerexecutor", report . " (earliest=" . earliest . ", latest=" . latest . ")", report) \
| where isnotnull(report) \
| timechart limit=0 avg(run_time) as avg_run_time by report

[trackme_internal_scheduling_ui_tracker_perf_table]
description = For the internal scheduling UI (handles non privileged accesses)
dispatch.earliest_time = -24h
dispatch.latest_time = now
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
is_visible = false
search = index=_internal (sourcetype=trackme:custom_commands:*) report=* run_time=* \
| eval report=if(sourcetype="trackme:custom_commands:trackmetrackerexecutor", report . " (earliest=" . earliest . ", latest=" . latest . ")", report) \
| stats avg(run_time) as avg_run_time, perc95(run_time) as perc95_run_time, max(run_time) as max_run_time, latest(run_time) as latest_run_time, sparkline(avg(run_time),) As avg_sparkline by report | sort limit=0 report \
| foreach avg_run_time perc95_run_time max_run_time latest_run_time [ eval <<FIELD>> = round('<<FIELD>>', 3) ]

[trackme_internal_scheduling_ui_executor_logs]
description = For the internal scheduling UI (handles non privileged accesses)
dispatch.earliest_time = -24h
dispatch.latest_time = now
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
is_visible = false
search = index=_internal (sourcetype=trackme:custom_commands:*) report=*

# Tenants Ops status
[trackme_ops_status]
description = This non scheduled report shows the operational status for the vtenant UI
dispatch.earliest_time = -5m
dispatch.latest_time = now
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
is_visible = false
search = | trackmetenantstatus\
| eval status_num=if((last_status == "success"),0,1)\
| stats sum(status_num) as tenant_status_num, values(last_status) as tenant_statuses by tenant_id\
| stats first(tenant_status_num) as tenant_status_num, values(tenant_statuses) as tenant_statuses, dc(tenant_statuses) as tenant_statuses_dcount by tenant_id\
| eval status=case(\
tenant_status_num=0, "OPERATIONAL",\
tenant_statuses_dcount=1 AND tenant_statuses=="none", "PENDING",\
1=1, "DEGRADED"\
)\
| chart count by status\
| eval color = case(\
match(status, "OPERATIONAL"), "#45D4BA",\
match(status, "PENDING"), "#FBC02D",\
match(status, "DEGRADED"), "#e85b79"\
)

# Ack tracker (will be enabled automatically the health tracker of the first tenant that will be created)
[trackme_ack_expiration_tracker]
cron_schedule = 1-56/5 * * * *
description = This scheduled report manages the acknowledgment expiration
disabled = 1
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
schedule_window = 5
dispatch.ttl = 600 # 10 ttl for this artefact
search = | trackmeacktracker tenant_id=* action=ack_expired

# Global maintenance mode tracker (will be enabled automatically the health tracker of the first tenant that will be created)
[trackme_maintenance_mode_tracker]
cron_schedule = */5 * * * *
description = This scheduled report checks and maintains the global maintenance mode status
disabled = 1
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = trackme
request.ui_dispatch_view = search
schedule_window = 5
run_on_startup = true
dispatch.ttl = 600 # 10m ttl for this artefact
search  = | trackme mode=get url="/services/trackme/v2/maintenance/check_global_maintenance_status" \
| append [ \
    | trackme mode=post url="/services/trackme/v2/maintenance_kdb/admin/maintenance_kdb_check_expired" \
]

# Global replica tracker orchestrator (will be enabled if and when a first replica tracker is created)
[trackme_replica_executor]
cron_schedule = */5 * * * *
description = This scheduled orchestrates the execution of replica trackers for all tenants
disabled = 1
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = trackme
request.ui_dispatch_view = search
schedule_window = 5
search  = | trackmereplicaexecutor tenants_filter_list=* max_runtime_sec=300

# Backup scheduler (will be enabled automatically the health tracker of the first tenant that will be created)
[trackme_backup_scheduler]
alert.track = 0
cron_schedule = 0 2 * * *
description = This scheduled report performs backup of TrackMe KVstore collections, and purges older backup archive files.
disabled = 1
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = trackme
request.ui_dispatch_view = search
schedule_window = 15
search = | trackme url=/services/trackme/v2/backup_and_restore/backup mode=post\
| append [ | trackme url=/services/trackme/v2/backup_and_restore/backup mode=delete body="{'retention_days': '30'}" ]\
| append [ | trackme url=/services/trackme/v2/backup_and_restore/backup mode=get body="{'mode': 'summary'}" | spath | rename "backup_files{}" as "backup_files"\
| eval backup_count=if(isnull(backup_count), 0, backup_count), backup_files=if(isnull(backup_files), "none", backup_files)\
| eval report="List of identified or known backup files (" . backup_count . ")"\
| eval _raw="{\"report\": \"" . report . "\", \"backup_files\": \" [ " . mvjoin(backup_files, ",") . " ]\"}" ]

# TrackMe general health manager (will be enabled automatically the health tracker of the first tenant that will be created)
# This scheduled report is designed to handle general health related tasks for TrackMe which are not tenant specific
[trackme_general_health_manager]
alert.track = 0
cron_schedule = 0 8 * * *
description = This sheduled reports performs various health and maintenance tasks for TrackMe which are not tenant specific.
disabled = 1
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = trackme
request.ui_dispatch_view = search
schedule_window = 15
search = | trackmegeneralhealthmanager