You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
409 lines
13 KiB
409 lines
13 KiB
# transforms.conf
|
|
|
|
# TrackMe indexed fields
|
|
|
|
# The following key fields are indexed fields for optimisation purposes:
|
|
# - tenant_id: which describes the tenant invovled in the data generated
|
|
# - object_category: which describes the component
|
|
# - object: which describes the entity
|
|
|
|
[trackme_indexed_tenant_id]
|
|
REGEX = \"tenant_id\"[:|=]\s{0,1}\"([^\"]+)\"
|
|
FORMAT = tenant_id::$1
|
|
WRITE_META = true
|
|
|
|
[trackme_indexed_json_tenant_id]
|
|
REGEX = \"tenant_id\":\s\"([^\"]+)\"
|
|
FORMAT = tenant_id::$1
|
|
WRITE_META = true
|
|
|
|
[trackme_indexed_kv_tenant_id]
|
|
REGEX = tenant_id=\"([^\"]+)\"
|
|
FORMAT = tenant_id::$1
|
|
WRITE_META = true
|
|
|
|
[trackme_indexed_object_category]
|
|
REGEX = \"object_category\"[:|=]\s{0,1}\"([^\"]+)\"
|
|
FORMAT = object_category::$1
|
|
WRITE_META = true
|
|
|
|
[trackme_indexed_json_object_category]
|
|
REGEX = \"object_category\":\s\"([^\"]+)\"
|
|
FORMAT = object_category::$1
|
|
WRITE_META = true
|
|
|
|
[trackme_indexed_object]
|
|
REGEX = \"object\"[:|=]\s{0,1}\"([^\"]+)\"
|
|
FORMAT = object::$1
|
|
WRITE_META = true
|
|
|
|
[trackme_indexed_kv_object]
|
|
REGEX = object=\"([^\"]+)\"
|
|
FORMAT = object::$1
|
|
WRITE_META = true
|
|
|
|
[trackme_indexed_json_object]
|
|
REGEX = \"object\":\s\"([^\"]+)\"
|
|
FORMAT = object::$1
|
|
WRITE_META = true
|
|
|
|
# This index field is specific to sourcetype=trackme:state to allow high performances tstats searches for SLA purposes
|
|
[trackme_indexed_monitored_state]
|
|
REGEX = \"monitored_state\":\s\"([^\"]+)\"
|
|
FORMAT = monitored_state::$1
|
|
WRITE_META = true
|
|
|
|
[trackme_indexed_json_monitored_state]
|
|
REGEX = \"monitored_state\":\s\"([^\"]+)\"
|
|
FORMAT = monitored_state::$1
|
|
WRITE_META = true
|
|
|
|
########################################
|
|
# Virtual tenancy and user preferences #
|
|
########################################
|
|
|
|
#
|
|
# TrackMe virtual tenants
|
|
#
|
|
|
|
[trackme_virtual_tenants]
|
|
external_type = kvstore
|
|
collection = kv_trackme_virtual_tenants
|
|
fields_list = _key, tenant_name, tenant_id, tenant_status, tenant_desc, tenant_owner, tenant_roles_admin, tenant_roles_user, tenant_roles_power, tenant_objects_exec_summary, tenant_dsm_enabled, tenant_dhm_enabled, tenant_mhm_enabled, tenant_cim_enabled, tenant_flx_enabled, tenant_wlk_enabled, tenant_fqm_enabled, tenant_dsm_hybrid_objects, tenant_dhm_hybrid_objects, tenant_mhm_hybrid_objects, tenant_flx_hybrid_objects, tenant_fqm_hybrid_objects, tenant_wlk_hybrid_objects, tenant_cim_objects, tenant_flx_objects, tenant_fqm_objects, tenant_wlk_objects, tenant_alert_objects, tenant_idx_settings, schema_version, schema_version_mtime, tenant_replica_objects, tenant_replica
|
|
|
|
# entities summary
|
|
# This collection stores a quick access view regarding the number of entities and a status summary
|
|
|
|
[trackme_virtual_tenants_entities_summary]
|
|
external_type = kvstore
|
|
collection = kv_trackme_virtual_tenants_entities_summary
|
|
fields_list = _key, tenant_id, cim_entities, cim_low_red_priority, cim_medium_red_priority, cim_high_red_priority, cim_critical_red_priority, cim_summary_stats, cim_extended_stats, dsm_entities, dsm_low_red_priority, dsm_medium_red_priority, dsm_high_red_priority, dsm_critical_red_priority, dsm_summary_stats, dsm_extended_stats, dhm_entities, dhm_low_red_priority, dhm_medium_red_priority, dhm_high_red_priority, dhm_critical_red_priority, dhm_summary_stats, dhm_extended_stats, mhm_entities, mhm_low_red_priority, mhm_medium_red_priority, mhm_high_red_priority, mhm_critical_red_priority, mhm_summary_stats, mhm_extended_stats, flx_entities, flx_low_red_priority, flx_medium_red_priority, flx_high_red_priority, flx_critical_red_priority, flx_summary_stats, flx_extended_stats, fqm_entities, fqm_low_red_priority, fqm_medium_red_priority, fqm_high_red_priority, fqm_critical_red_priority, fqm_summary_stats, fqm_extended_stats, wlk_entities, wlk_low_red_priority, wlk_medium_red_priority, wlk_high_red_priority, wlk_critical_red_priority, wlk_summary_stats, wlk_extended_stats, dsm_last_exec, dhm_last_exec, mhm_last_exec, cim_last_exec, flx_last_exec, fqm_last_exec, wlk_last_exec
|
|
|
|
#
|
|
# Alerting maintenance mode
|
|
#
|
|
|
|
[trackme_maintenance_mode]
|
|
external_type = kvstore
|
|
collection = kv_trackme_maintenance_mode
|
|
fields_list = _key, tenants_scope, maintenance, maintenance_mode, maintenance_message, maintenance_comment, maintenance_mode_start, maintenance_mode_end, maintenance_countdown, change_comment, src_user, time_started, time_updated, epoch_started, epoch_updated, knowledge_record_id
|
|
|
|
#
|
|
# maintenance knowledge database: can be used to store maintenance knowledge and influence SLA calculations
|
|
#
|
|
|
|
[trackme_maintenance_kdb]
|
|
external_type = kvstore
|
|
collection = kv_trackme_maintenance_kdb
|
|
fields_list = _key, tenants_scope, is_disabled, no_days_validity, reason, type, add_info, src_user, time_start, time_end, time_expiration, ctime, mtime
|
|
|
|
#
|
|
# Bank holidays: used to store bank holiday periods that prevent alerts from triggering
|
|
#
|
|
[trackme_bank_holidays]
|
|
external_type = kvstore
|
|
collection = kv_trackme_bank_holidays
|
|
fields_list = _key, period_name, start_date, end_date, comment, country_code, is_recurring, src_user, time_created, time_updated, maintenance_kdb_key
|
|
|
|
#
|
|
# Backup collection, used to store server / backup files Metadata
|
|
#
|
|
[trackme_backup_archives_info]
|
|
external_type = kvstore
|
|
collection = kv_trackme_backup_archives_info
|
|
fields_list = _key, server_name, backup_archive, size, status, archive_details, kvstore_collections_size, change_type, mtime, htime, comment
|
|
|
|
#
|
|
# License key: this KVstore is used to store the license key
|
|
#
|
|
|
|
[trackme_license_key]
|
|
external_type = kvstore
|
|
collection = kv_trackme_license_key
|
|
fields_list = _key, license_string, license_type
|
|
|
|
#
|
|
# Remote Account token expiration Metadata store: this KVstore is used to store expiration related metadata for remote accounts
|
|
#
|
|
|
|
[trackme_remote_account_token_expiration]
|
|
external_type = kvstore
|
|
collection = kv_trackme_remote_account_token_expiration
|
|
fields_list = _key, account, mtime, last_message, remote_bearer_token_id
|
|
|
|
######
|
|
# CIM
|
|
######
|
|
|
|
# used to pre-define the regex for CIM compliance
|
|
[trackme_cim_regex]
|
|
filename = trackme_cim_regex.csv
|
|
match_type = WILDCARD(field)
|
|
max_matches = 1
|
|
|
|
# used to pre-define the regex for CIM compliance
|
|
[trackme_cim_regex_v2]
|
|
filename = trackme_cim_regex_v2.csv
|
|
match_type = WILDCARD(datamodel) WILDCARD(field)
|
|
max_matches = 1
|
|
|
|
# used to pre-define the recommended fields for CIM compliance
|
|
[trackme_cim_recommended_fields]
|
|
filename = trackme_cim_recommended_fields.csv
|
|
default_match = false
|
|
case_sensitive_match = 1
|
|
max_matches = 1
|
|
min_matches = 1
|
|
|
|
#
|
|
# events
|
|
#
|
|
|
|
[trackme_events_ingest_evals]
|
|
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics"), sourcetype=target_sourcetype, source=target_source, _raw=event, event:=null(), target_index:=null(), target_sourcetype:=null(), target_source:=null()
|
|
|
|
#
|
|
# audit events
|
|
#
|
|
|
|
[trackme_audit_events_ingest_evals]
|
|
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_audit"), sourcetype="trackme:audit", source="trackme:audit", _raw=event, event:=null(), target_index:=null()
|
|
|
|
#
|
|
# events to metrics
|
|
#
|
|
|
|
#
|
|
# scoring metrics
|
|
#
|
|
|
|
[trackme_scoring_metrics_index_redirect]
|
|
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")
|
|
|
|
[trackme_scoring_metrics_metric_name]
|
|
INGEST_EVAL = metric_name="trackme.scoring"
|
|
|
|
[trackme_scoring_metrics_field_extraction]
|
|
FORMAT = $1::"$2"
|
|
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[trackme_scoring_metrics_field_extraction_json]
|
|
FORMAT = $1::$2
|
|
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d\.]*)
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[metric-schema:trackme_scoring_metrics_extract_schema]
|
|
METRIC-SCHEMA-MEASURES-trackme.scoring=_ALLNUMS_
|
|
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.scoring=target_index,metrics_event
|
|
|
|
#
|
|
# sla metrics
|
|
#
|
|
|
|
[trackme_sla_metrics_index_redirect]
|
|
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")
|
|
|
|
[trackme_sla_metrics_metric_name]
|
|
INGEST_EVAL = metric_name="trackme.sla"
|
|
|
|
[trackme_sla_metrics_field_extraction]
|
|
FORMAT = $1::"$2"
|
|
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[trackme_sla_metrics_field_extraction_json]
|
|
FORMAT = $1::$2
|
|
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[metric-schema:trackme_sla_metrics_extract_schema]
|
|
METRIC-SCHEMA-MEASURES-trackme.sla=_ALLNUMS_
|
|
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.sla=target_index,metrics_event
|
|
|
|
#
|
|
# components_register metrics
|
|
#
|
|
|
|
[trackme_components_register_metrics_index_redirect]
|
|
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")
|
|
|
|
[trackme_components_register_metrics_metric_name]
|
|
INGEST_EVAL = metric_name="trackme.components_register"
|
|
|
|
[trackme_components_register_metrics_field_extraction]
|
|
FORMAT = $1::"$2"
|
|
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[trackme_components_register_metrics_field_extraction_json]
|
|
FORMAT = $1::$2
|
|
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[metric-schema:trackme_components_register_metrics_extract_schema]
|
|
METRIC-SCHEMA-MEASURES-trackme.components_register=_ALLNUMS_
|
|
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.components_register=target_index,metrics_event
|
|
|
|
#
|
|
# splk-dsm metrics
|
|
#
|
|
|
|
[trackme_splk_dsm_metrics_index_redirect]
|
|
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")
|
|
|
|
[trackme_splk_dsm_metrics_metric_name]
|
|
INGEST_EVAL = metric_name="trackme.splk_dsm"
|
|
|
|
[trackme_splk_dsm_metrics_field_extraction]
|
|
FORMAT = $1::"$2"
|
|
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[trackme_splk_dsm_metrics_field_extraction_json]
|
|
FORMAT = $1::$2
|
|
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[metric-schema:trackme_splk_dsm_metrics_extract_schema]
|
|
METRIC-SCHEMA-MEASURES-trackme.splk_dsm=_ALLNUMS_
|
|
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.splk_dsm=target_index,metrics_event
|
|
|
|
#
|
|
# splk-dhm metrics
|
|
#
|
|
|
|
[trackme_splk_dhm_metrics_index_redirect]
|
|
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")
|
|
|
|
[trackme_splk_dhm_metrics_metric_name]
|
|
INGEST_EVAL = metric_name="trackme.splk_dhm"
|
|
|
|
[trackme_splk_dhm_metrics_field_extraction]
|
|
FORMAT = $1::"$2"
|
|
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[trackme_splk_dhm_metrics_field_extraction_json]
|
|
FORMAT = $1::$2
|
|
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[metric-schema:trackme_splk_dhm_metrics_extract_schema]
|
|
METRIC-SCHEMA-MEASURES-trackme.splk_dhm=_ALLNUMS_
|
|
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.splk_dhm=target_index,metrics_event
|
|
|
|
#
|
|
# splk-mhm metrics
|
|
#
|
|
|
|
[trackme_splk_mhm_metrics_index_redirect]
|
|
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")
|
|
|
|
[trackme_splk_mhm_metrics_metric_name]
|
|
INGEST_EVAL = metric_name="trackme.splk_mhm"
|
|
|
|
[trackme_splk_mhm_metrics_field_extraction]
|
|
FORMAT = $1::"$2"
|
|
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[trackme_splk_mhm_metrics_field_extraction_json]
|
|
FORMAT = $1::$2
|
|
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[metric-schema:trackme_splk_mhm_metrics_extract_schema]
|
|
METRIC-SCHEMA-MEASURES-trackme.splk_mhm=_ALLNUMS_
|
|
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.splk_mhm=target_index,metrics_event
|
|
|
|
#
|
|
# splk-flx
|
|
#
|
|
|
|
[trackme_flx_metrics_index_redirect]
|
|
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")
|
|
|
|
[trackme_flx_metrics_metric_name]
|
|
INGEST_EVAL = metric_name="trackme.splk.flx"
|
|
|
|
[trackme_flx_metrics_field_extraction]
|
|
FORMAT = $1::"$2"
|
|
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[trackme_flx_metrics_field_extraction_json]
|
|
FORMAT = $1::$2
|
|
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[metric-schema:trackme_flx_metrics_extract_schema]
|
|
METRIC-SCHEMA-MEASURES-trackme.splk.flx=_ALLNUMS_
|
|
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.splk.flx=target_index,metrics_event
|
|
|
|
#
|
|
# splk-fqm
|
|
#
|
|
|
|
[trackme_fqm_metrics_index_redirect]
|
|
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")
|
|
|
|
[trackme_fqm_metrics_metric_name]
|
|
INGEST_EVAL = metric_name="trackme.splk.fqm"
|
|
|
|
[trackme_fqm_metrics_field_extraction]
|
|
FORMAT = $1::"$2"
|
|
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[trackme_fqm_metrics_field_extraction_json]
|
|
FORMAT = $1::$2
|
|
REGEX = \\\"([a-zA-Z0-9_\.]+)\\\":\s(\-{0,1}[\d|\.]*)
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[metric-schema:trackme_fqm_metrics_extract_schema]
|
|
METRIC-SCHEMA-MEASURES-trackme.splk.fqm=_ALLNUMS_
|
|
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.splk.fqm=target_index,metrics_event
|
|
|
|
#
|
|
# splk-wlk
|
|
#
|
|
|
|
[trackme_wlk_metrics_index_redirect]
|
|
INGEST_EVAL = index=if(isnotnull(target_index) AND target_index!="", target_index, "trackme_metrics")
|
|
|
|
[trackme_wlk_metrics_metric_name]
|
|
INGEST_EVAL = metric_name="trackme.splk.wlk"
|
|
|
|
[trackme_wlk_metrics_field_extraction]
|
|
FORMAT = $1::"$2"
|
|
REGEX = \"([a-zA-Z0-9_\.]+)\":\s\"([^\"]+)\"
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[trackme_wlk_metrics_field_extraction_json]
|
|
FORMAT = $1::$2
|
|
REGEX = \\\\\\\"([a-zA-Z0-9_\.]+)\\\\\\\":(\-{0,1}[\d|\.]*)
|
|
REPEAT_MATCH = true
|
|
WRITE_META = true
|
|
|
|
[metric-schema:trackme_wlk_metrics_extract_schema]
|
|
METRIC-SCHEMA-MEASURES-trackme.splk.wlk=_ALLNUMS_
|
|
METRIC-SCHEMA-BLACKLIST-DIMS-trackme.splk.wlk=target_index,metrics_event
|