You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1154 lines
73 KiB
1154 lines
73 KiB
# searchbnf.conf
|
|
|
|
[trackme-command]
|
|
syntax = | trackme url=<API endpoint> mode=<HTTP method: get/post/delete> params=<Optional: provides HTTP params in a json format, for get only> body=<Optional: provides the HTTP body in a json format>
|
|
description = \
|
|
This command is a REST API wrapper for TrackMe API endpoints, it allows performing \
|
|
get / post / delete HTTP calls against an endpoint and returns a JSON format answer. \
|
|
Syntax: \
|
|
| trackme url=<API endpoint> mode=<HTTP method: get/post/delete> params=<Optional: provides HTTP params in a json format, for get only> body=<Optional: provides the HTTP body in a json format>
|
|
comment1 = \
|
|
This example calls the smart_status endpoint to provide an advanced status with automated \
|
|
correlations and investigations.
|
|
example1 = \
|
|
| trackme url=/services/trackme/v2/splk_smart_status/ds_smart_status mode=get body="{'object': 'firewall:pan:traffic'}"
|
|
shortdesc = REST API wrapper for TrackMe, allows performing \
|
|
get / post / delete HTTP calls against an endpoint.
|
|
usage = public
|
|
tags = trackme
|
|
|
|
[trackmegetconf-command]
|
|
syntax = | trackmegetconf target=<Optional, the configuration stanza target, use * for all stanzas>
|
|
description = \
|
|
This command is a simple generating command to retrieve the application level configuration stanzas, parameters and values
|
|
Syntax: \
|
|
| trackmegetconf target=<Optional, the configuration stanza target, use * for all stanzas>
|
|
comment1 = \
|
|
This example retrieves all parameters and values for the trackme_general configuration items
|
|
example1 = \
|
|
| trackmegetconf target=trackme_general
|
|
shortdesc = Retrieve TrackMe application level configuration parameters and values
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Performs remote search to any Splunk instance over REST, using a bearer token and an account configured
|
|
[splunkremotesearch-command]
|
|
syntax = | splunkremotesearch account=<API endpoint> search=<Splunk SPL search> earliest=<earliest quantifier> latest=<latest quantifier> component=<the component> register_component=<enable registering exceptions in the component> tenant_id=<tenant identifier> report=<tracker report name> run_against_each_member=<boolean, run the search against each member of the account> report_runtime=<boolean, report the runtime of the search> sample_ratio=<sample ratio, if provided, the search will be sampled>
|
|
description = \
|
|
This command is a REST remote search for Splunk, it allows performing \
|
|
any search to a remote Splunk deployment and returns a JSON format answer. \
|
|
Syntax: \
|
|
| splunkremotesearch account=<API endpoint> search=<Splunk SPL search> earliest=<earliest quantifier> latest=<latest quantifier> component=<the component> register_component=<enable registering exceptions in the component> tenant_id=<tenant identifier> report=<tracker report name> run_against_each_member=<boolean, run the search against each member of the account> report_runtime=<boolean, report the runtime of the search> sample_ratio=<sample ratio, if provided, the search will be sampled>
|
|
comment1 = \
|
|
This example performs a simple magic search to a remote Splunk deployment
|
|
example1 = \
|
|
| splunkremotesearch account=acme_splunk search="| tstats max(_indextime) as data_last_ingest, min(_time) as data_first_time_seen, max(_time) as data_last_time_seen, count as data_eventcount, dc(host) as dcount_host where index=\"firewall\" | eval object=\"test\", data_index=\"test\", data_sourcetype=\"pan:traffic\", data_last_ingestion_lag_seen=data_last_ingest-data_last_time_seen" earliest="-4h" latest="+4h"
|
|
shortdesc = REST remote search for Splunk, it allows performing \
|
|
any search to a remote Splunk deployment and returns a JSON format answer.
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# The Data Sampling mass executor
|
|
[trackmesamplingexecutor-command]
|
|
syntax = | trackmesamplingexecutor tenant_id=<tenant identifier> mode=<run mode (optional), valid options: run_sampling|test_sampling|test_model|get_samples|show_kvrecord> object=<object value, used if mode is get_samples> earliest=<earliest quantifier> latest=<latest quantifier> get_samples_max_count=<max number of events to be sampled in get samples mode> max_runtime=<max runtime in seconds> regex_expression=<if mode is test_model, the regex expression to test> model_type=<if mode is test_model, the model type to test, valid options are: inclusive|exclusive> model_name=<if mode is test_model, the model name to test> sourcetype_scope=<if mode is test_model, the sourcetype scope to test>
|
|
description = \
|
|
This command is the TrackMe data sampling mass job executor \
|
|
Syntax: \
|
|
| trackmesamplingexecutor tenant_id=<tenant identifier> mode=<run mode (optional), valid options: run_sampling|test_sampling|test_model|get_samples|get_live_samples|show_kvrecord> object=<object value, used if mode is get_samples> earliest=<earliest quantifier> latest=<latest quantifier> get_samples_max_count=<max number of events to be sampled in get samples mode> max_runtime=<max runtime in seconds> regex_expression=<if mode is test_model, the regex expression to test> model_type=<if mode is test_model, the model type to test, valid options are: inclusive|exclusive> model_name=<if mode is test_model, the model name to test> sourcetype_scope=<if mode is test_model, the sourcetype scope to test>
|
|
comment1 = \
|
|
This example performs the mass data sampling main job
|
|
example1 = \
|
|
| trackmesamplingexecutor tenant_id="my_tenant"
|
|
shortdesc = TrackMe Data Sampling mass executor job
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# The Elastic Sources shared mass executor
|
|
[trackmeelasticexecutor-command]
|
|
syntax = | trackmeelasticexecutor tenant_id=<Tenant idenfitier> component=<TrackMe component> margin_sec=<the time in seconds to be used as margin when calculating the max runtime of the job depending on its cron schedule> max_concurrent_searches=<the maximum number of concurrent searches to be executed>
|
|
description = \
|
|
This command is the TrackMe Elastic Sources shared mass job executor \
|
|
Syntax: \
|
|
| trackmeelasticexecutor tenant_id=<Tenant idenfitier> component=<TrackMe component> margin_sec=<the time in seconds to be used as margin when calculating the max runtime of the job depending on its cron schedule> max_concurrent_searches=<the maximum number of concurrent searches to be executed>
|
|
comment1 = \
|
|
This example performs the Elastic Sources shared mass main job
|
|
example1 = \
|
|
| trackmeelasticexecutor tenant_id="mytenant" component="dsm"
|
|
shortdesc = TrackMe Elastic Sources shared mass executor job
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Performs the controled and monitored execution of a Trackme tracker
|
|
[trackmetrackerexecutor-command]
|
|
syntax = | trackmetrackerexecutor tenant_id=<Tenant idenfitier> component=<Trackme component> report=<Splunk report name> args=<optional arguments for the report> earliest=<earliest quantifier> latest=<latest quantifier> alert_no_results=<alert if no results are found, valid options: True|False (default True)> force_savedsearch_execmode=<force execution mode to be savedsearch, valid options: True|False (default False)>
|
|
description = \
|
|
This command is a Python wrapper to execute TrackMe trackers jobs in a controled and monitored manner \
|
|
Syntax: \
|
|
| trackmetrackerexecutor tenant_id=<Tenant idenfitier> component=<Trackme component> report=<Splunk report name> args=<optional arguments for the report> earliest=<earliest quantifier> latest=<latest quantifier> alert_no_results=<alert if no results are found, valid options: True|False (default True)> force_savedsearch_execmode=<force execution mode to be savedsearch, valid options: True|False (default False)>
|
|
comment1 = \
|
|
This is an example of a TrackMe tracker execution.
|
|
example1 = \
|
|
| trackmetrackerexecutor tenant_id="mytenant" component="splk-dsm" report="trackme_dsm_hybrid_tracker-39858981_wrapper_tenant_feeds-secops" earliest="-4h" latest="+4h"
|
|
shortdesc = Python wrapper to execute TrackMe trackers jobs in a controled and monitored manner
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Load the TrackMe tenant root content
|
|
[trackmeload-command]
|
|
syntax = | trackmeload mode=<mode, valid options: full|expanded>
|
|
description = \
|
|
This command retrieves the tenant root content, depending on the roles membership from the user running the command \
|
|
Syntax: \
|
|
| trackmeload mode=<mode, valid options: full|expanded>
|
|
comment1 = \
|
|
This example retrieves the tenant JSON data according to the user's roles membership
|
|
example1 = \
|
|
| trackmeload
|
|
shortdesc = Python wrapper to retrieve the tenant JSON data according to RBAC
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Load the TrackMe tenant status summary
|
|
[trackmetenantstatus-command]
|
|
syntax = | trackmetenantstatus tenant_id=<optional: the tenant identifier> output=<optional: return the status record, or the list of RBAC filtered tenants, valid options: status | tenants>
|
|
description = \
|
|
This command retrieves the tenants status summary data, and renders to be investigated easily in Splunk \
|
|
Syntax: \
|
|
| trackmetenantstatus tenant_id=<optional: the tenant identifier> output=<optional: return the status record, or the list of RBAC filtered tenants, valid options: status | tenants>
|
|
comment1 = \
|
|
This example retrieve the summary status data for all tenants
|
|
example1 = \
|
|
| trackmetenantstatus output="status"
|
|
shortdesc = Python wrapper to retrieve tenants status summary data
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# get flipping events
|
|
[trackmesplkgetflipping-command]
|
|
syntax = | trackmesplkgetflipping tenant_id=<the tenant identifier> object_category=<the object category>
|
|
description = \
|
|
This command is used to generate flipping status events using the TrackMe libs trackme_audit_flip function \
|
|
Syntax: \
|
|
| trackmesplkgetflipping tenant_id=the tenant identifier> object_category=<the object category> | spath | fields - _raw
|
|
comment1 = \
|
|
This example filters the blocklist for splk-dsm
|
|
example1 = \
|
|
| trackmesplkgetflipping tenant_id="mytenant" object_category="splk-dsm" | spath | fields - _raw
|
|
shortdesc = Generate flipping statuses events
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# get flipping events
|
|
[trackmeacktracker-command]
|
|
syntax = | trackmeacktracker tenant_id=<Optional, the tenant identifier> action=<Optional, the action, valid options are: ack_expired | force_expire_all_ack>
|
|
description = \
|
|
This command is used to manage the Acknowledgment expiration, it is a generating command which will read all Ack collections and expire acknowlegements records as needed \
|
|
Syntax: \
|
|
| trackmeacktracker tenant_id=<Optional, the tenant identifier> action=<Optional, the action, valid options are: ack_expired | force_expire_all_ack>
|
|
comment1 = \
|
|
This example manages acknowlegements expiration for all tenants
|
|
example1 = \
|
|
| trackmeacktracker
|
|
shortdesc = Handles the acknowlegment expiration for tenant collections
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# manually generate a new notable event
|
|
[trackmegennotable-command]
|
|
syntax = | savedsearch <Trackme alert name> | trackmegennotable notable_title=<Optional, the value of the notable title (source Metadata), defaults to trackme:notable if not specified>
|
|
description = \
|
|
This streaming command can be used to manually generate a new notable event \
|
|
Syntax: \
|
|
| savedsearch <Trackme alert name> | trackmegennotable notable_title=<Optional, the value of the notable title (source Metadata), defaults to trackme:notable if not specified>
|
|
comment1 = \
|
|
This example generate a new notable event
|
|
example1 = \
|
|
| savedsearch "TrackMe alert tenant_id:mytenant - Alert custom on data_source" | trackmegennotable
|
|
shortdesc = Manually generate a new TrackMe notable event
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# TrackMe streaming summary events custom command
|
|
[trackmecollect-command]
|
|
syntax = | trackmecollect index=<Optional, index target for the summary events, if unspecified the app configuration level value will be used> source=<Optional, source Metadata value for the summary events, defaults to trackme:state> sourcetype=<Optional, sourcetype Metadata value for the summary events, defaults to trackme:state>
|
|
description = \
|
|
This streaming command can be used to manually generate a new notable event \
|
|
Syntax: \
|
|
| trackmecollect index=<Optional, index target for the summary events, if unspecified the app configuration level value will be used> source=<Optional, source Metadata value for the summary events, defaults to trackme:summary> sourcetype=<Optional, sourcetype Metadata value for the summary events, defaults to trackme:state>
|
|
comment1 = \
|
|
This example generate a new notable event
|
|
example1 = \
|
|
| trackmecollect index="trackme_summary" source="current_state_tracking:splk-dsm:mytenant" sourcetype="trackme:state"
|
|
shortdesc = Generate and index TrackMe summary events
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# TrackMe generating health tracker custom command
|
|
[trackmetrackerhealth-command]
|
|
syntax = | trackmetrackerhealth tenant_id=<tenant identifier> get_acl=<boolean, retrieve ACLs information for the tenant knowledge objects, disabled by default as this can generate more rest traffic and load>
|
|
description = \
|
|
This generating command is designed to execute the health tracker component for the tenant \
|
|
Syntax: \
|
|
| trackmetrackerhealth tenant_id=<tenant identifier> get_acl=<boolean, retrieve ACLs information for the tenant knowledge objects, disabled by default as this can generate more rest traffic and load>
|
|
comment1 = \
|
|
This example tracks the health of the tenant
|
|
example1 = \
|
|
| trackmetrackerhealth tenant_id="mytenant" get_acl=True
|
|
shortdesc = Tracks the health status of a TrackMe tenant
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to load and pretty print json fields
|
|
[trackmeprettyjson-command]
|
|
syntax = | trackmeprettyjson fields=<command separated list of fields to pretty print JSON> remove_nonpositive_num=<boolean> remove_null=<boolean> merge=<if multiple fields provided, merge into a single metrics field, True|False> merge_field_target=<if merge, defines the field target>
|
|
description = \
|
|
This streaming command can be used to pretty print a list of JSON fields \
|
|
Syntax: \
|
|
| trackmeprettyjson fields=<command separated list of fields to pretty print JSON> remove_nonpositive_num=<boolean> remove_null=<boolean> merge=<if multiple fields provided, merge into a single metrics field, True|False> merge_field_target=<if merge, defines the field target>
|
|
comment1 = \
|
|
This example pretty prints the field job_component_register
|
|
example1 = \
|
|
| trackmeprettyjson fields="job_component_register"
|
|
shortdesc = Pretty print a list of JSON fields
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command to yield a JSON value
|
|
[trackmeyieldjson-command]
|
|
syntax = | trackmeyieldjson json_value=<JSON value>
|
|
description = \
|
|
This generating command can be used to yield a JSON value \
|
|
Syntax: \
|
|
| trackmeyieldjson json_value=<JSON value>
|
|
comment1 = \
|
|
This example yields a JSON value
|
|
example1 = \
|
|
| trackmeyieldjson json_value="{\"key1\": \"value1\", \"key2\": \"value2\"}"
|
|
shortdesc = Yield a JSON value
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to expand the job component register
|
|
[trackmeopsstatusexpand-command]
|
|
syntax = | trackmeopsstatusexpand
|
|
description = \
|
|
This command retrieves and expands the job component register \
|
|
Syntax: \
|
|
| trackmeopsstatusexpand
|
|
comment1 = \
|
|
This command retrieves and expands the job component register
|
|
example1 = \
|
|
| trackmeopsstatusexpand
|
|
shortdesc = Retrieve and expand the job component register
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to set splk outliers rules
|
|
[trackmesplkoutlierssetrules-command]
|
|
syntax = | trackmesplkoutlierssetrules tenant_id=<tenant_id> component=<component>
|
|
description = \
|
|
This streaming command is called to generate the splk outliers rules \
|
|
Syntax: \
|
|
| trackmesplkoutlierssetrules tenant_id=<tenant_id> component=<component>
|
|
comment1 = \
|
|
This example generates splk outliers rules for splk-dsm
|
|
example1 = \
|
|
| trackmesplkoutlierssetrules tenant_id="mytenant" object_category="dsm"
|
|
shortdesc = Generates the splk outliers rules
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command to train machine learning outliers models for a given entity
|
|
[trackmesplkoutlierstrain-command]
|
|
syntax = | trackmesplkoutlierstrain tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id> model_id=<Optional, filter on a model_id> mode=<live|simulation> model_json_def=<The JSON model for simulation>
|
|
description = \
|
|
This generating command is called to train the Machine Learning outliers detections models for a given entity \
|
|
Syntax: \
|
|
| trackmesplkoutlierstrain tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id> model_id=<Optional, filter on a model_id> mode=<live|simulation> model_json_def=<The JSON model for simulation>
|
|
comment1 = \
|
|
This example trains defined Machine Learning models for a given entity
|
|
example1 = \
|
|
| trackmesplkoutlierstrain tenant_id="mytenant" component="dsm" object="my_entity"
|
|
example2 = \
|
|
| trackmesplkoutlierstrain tenant_id="mytenant" component="dsm" object_id="abc123"
|
|
shortdesc = Train the splk outliers Machine Learning models
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command to render machine learning outliers for a given entity and a given trained model
|
|
[trackmesplkoutliersrender-command]
|
|
syntax = | trackmesplkoutliersrender tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id> model_id=<Optional, filter on a model_id> earliest=<earliest quantifier> latest=<latest quantifier> lowerbound_negative=<True|False boolean, allow/deny negative lowerBound> auto_correct=<True|False boolean, enable or disable auto threshold correction> mode=<live|simulation> model_json_def=<The JSON model for simulation> allow_auto_train=<True|False, allows automated training if last train is out of date, defaults to False>
|
|
description = \
|
|
This generating command is called to render the Machine Learning outliers detections for a given entity and a given trained model \
|
|
Syntax: \
|
|
| trackmesplkoutliersrender tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id> model_id=<Optional, filter on a model_id> earliest=<earliest quantifier> latest=<latest quantifier> auto_correct=<True|False boolean, enable or disable auto threshold correction> mode=<live|simulation> model_json_def=<The JSON model for simulation> allow_auto_train=<True|False, allows automated training if last train is out of date, defaults to False>
|
|
comment1 = \
|
|
This example renders trained Machine Learning outliers for a given entity
|
|
example1 = \
|
|
| trackmesplkoutliersrender tenant_id="mytenant" component="dsm" object="my_entity" earliest="-7d" latest="now"
|
|
example2 = \
|
|
| trackmesplkoutliersrender tenant_id="mytenant" component="dsm" object_id="a23302f92eac2435ad33dba5237bb9e5feed3d6be819cfeb7b88f2c55bc35edd" earliest="-7d" latest="now"
|
|
shortdesc = Render the splk outliers Machine Learning results
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command to render entities rules
|
|
[trackmesplkoutliersgetrules-command]
|
|
syntax = | trackmesplkoutliersgetrules tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id> model_id=<Optional, filter on a model_id>
|
|
description = \
|
|
This generating command is called to render the Machine Learning outliers detections rules \
|
|
Syntax: \
|
|
| trackmesplkoutliersgetrules tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id> model_id=<Optional, filter on a model_id>
|
|
comment1 = \
|
|
This example renders Machine Learning outliers rules for a given entity
|
|
example1 = \
|
|
| trackmesplkoutliersgetrules tenant_id="mytenant" component="dsm" object="my_entity"
|
|
example2 = \
|
|
| trackmesplkoutliersgetrules tenant_id="mytenant" component="dsm" object_id="a23302f92eac2435ad33dba5237bb9e5feed3d6be819cfeb7b88f2c55bc35edd"
|
|
shortdesc = Render the splk outliers Machine Learning rules
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command to render entities data
|
|
[trackmesplkoutliersgetdata-command]
|
|
syntax = | trackmesplkoutliersgetdata tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id>
|
|
description = \
|
|
This generating command is called to render the Machine Learning outliers detections data \
|
|
Syntax: \
|
|
| trackmesplkoutliersgetdata tenant_id=<tenant_id> component=<component> object=<Optional, object> object_id=<Optional, object_id>
|
|
comment1 = \
|
|
This example renders Machine Learning outliers data for a given entity
|
|
example1 = \
|
|
| trackmesplkoutliersgetdata tenant_id="mytenant" component="dsm" object="my_entity"
|
|
example2 = \
|
|
| trackmesplkoutliersgetdata tenant_id="mytenant" component="dsm" object_id="a23302f92eac2435ad33dba5237bb9e5feed3d6be819cfeb7b88f2c55bc35edd"
|
|
shortdesc = Render the splk outliers Machine Learning data
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command executing regular training of the entities ML models
|
|
[trackmesplkoutlierstrainhelper-command]
|
|
syntax = | trackmesplkoutlierstrainhelper tenant_id=<tenant_id> component=<component> max_runtime_sec=<max runtime for the job in seconds>
|
|
description = \
|
|
This generating command is called to train and maintain Machine Learning models for TrackMe entities \
|
|
Syntax: \
|
|
| trackmesplkoutlierstrainhelper tenant_id=<tenant_id> component=<component> max_runtime_sec=<max runtime for the job in seconds>
|
|
comment1 = \
|
|
This example renders Machine Learning outliers rules for a given entity
|
|
example1 = \
|
|
| trackmesplkoutlierstrainhelper tenant_id="mytenant" component="dsm"
|
|
shortdesc = Machine Learning models training executor
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command rendering current outliers statuses for the tenant entities
|
|
[trackmesplkoutlierstrackerhelper-command]
|
|
syntax = | trackmesplkoutlierstrackerhelper tenant_id=<tenant_id> component=<component> object=<Optional, specify an object> object_id=<Optional, specify an object_id> max_runtime=<max runtime of the job in seconds, optional and defaults to 600> force_run=<True|False (default False), if True, do not honour minimal amount of time between two monitor executions> allow_auto_train=<True|False, allows automated training if last train is out of date, defaults to False>
|
|
description = \
|
|
This generating command is called to track the current outliers statuses for models defined in the tenant's entities \
|
|
Syntax: \
|
|
| trackmesplkoutlierstrackerhelper tenant_id=<tenant_id> component=<component> object=<Optional, specify an object> object_id=<Optional, specify an object_id> max_runtime=<max runtime of the job in seconds, optional and defaults to 600> force_run=<True|False (default False), if True, do not honour minimal amount of time between two monitor executions> allow_auto_train=<True|False, allows automated training if last train is out of date, defaults to False>
|
|
comment1 = \
|
|
This example tracks the outliers status for all models defined in tenant's entities
|
|
example1 = \
|
|
| trackmesplkoutlierstrackerhelper tenant_id="mytenant" component="dsm" max_runtime="600"
|
|
example2 = \
|
|
| trackmesplkoutlierstrackerhelper tenant_id="mytenant" component="dsm" object_id="abc123" force_run="True"
|
|
shortdesc = Machine Learning models tracking executor
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command used to generate search filtering expressions according to allow / block lists of the tenants depending on the context
|
|
[trackmeblocklistgen-command]
|
|
syntax = | trackmeblocklistgen tenant_id=<tenant_id> component=<component> regex=<true|false - filter on non regex or regex based records> addprefix=<Add a prefix, optional> fields=<Comma separated list of fields, optional> target=<allowlist | blocklist> store_cache=<Store the result in a KVstore cache for fast usage, true|false>
|
|
description = \
|
|
This generating command is called to generate filtering expressions according to the tenant and component data set configuration \
|
|
Syntax: \
|
|
| trackmeblocklistgen tenant_id=<tenant_id> component=<component> regex=<true|false - filter on non regex or regex based records> addprefix=<Add a prefix, optional> fields=<Comma separated list of fields, optional> target=<allowlist | blocklist> store_cache=<Store the result in a KVstore cache for fast usage, true|false>
|
|
comment1 = \
|
|
This example tracks the outliers status for all models defined in tenant's entities
|
|
example1 = \
|
|
| trackmeblocklistgen tenant_id="mytenant" component="dsm" regex="false" target="allowlist"
|
|
shortdesc = BlockList filtering expression generator
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command to automatically get the API endpoints documentation
|
|
[trackmeapiautodocs-command]
|
|
syntax = | trackmeapiautodocs target=<the type of endpoints, valid options are: groups | endpoints>
|
|
description = \
|
|
This generating command automatically generate the list of API endpoints per resource group and lists its configuration information and examples \
|
|
Syntax: \
|
|
| trackmeapiautodocs target=<the type of endpoints, valid options are: groups | endpoints>
|
|
comment1 = \
|
|
This example list all API endpoints with their associated documentation
|
|
example1 = \
|
|
| trackmeapiautodocs target="endpoints"
|
|
shortdesc = TrackMe API documentation auto-generator
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command to parse search results for splk-flx component
|
|
[trackmesplkflxparse-command]
|
|
syntax = | trackmesplkflxparse tenant_id=<tenant_id> context=<live|simulation> remove_raw=<true|false> remove_time=<true|false>
|
|
description = \
|
|
This streaming custom command is designed to parse search results for the purposes of the splk-flx component \
|
|
Syntax: \
|
|
<upstream search> | trackmesplkflxparse tenant_id=<tenant_id> context=<live|simulation> remove_raw=<true|false> remove_time=<true|false>
|
|
comment1 = \
|
|
This example parses upstream search results for the splk-flx component
|
|
example1 = \
|
|
| trackmesplkflxparse tenant_id="mytenant"
|
|
shortdesc = TrackMe Splk Flex Objects tracking search parser
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command for spk-flx converging
|
|
[trackmesplkflxconverging-command]
|
|
syntax = | trackmesplkflxconverging tenants_scope=<comma separated lists of tenants where entities should be sourced from> object=<object> object_description=<object description> group=<group> root_constraint=<root constraint> consider_orange_as_up=<True|False> remove_extra_attributes=<true|false> min_pct_for_green=<minimum percentage of availability required for the status to be green (1). Default is 100>
|
|
description = \
|
|
This generating command is designed to parse search results for the purposes of the splk-flx component and converging trackers \
|
|
Syntax: \
|
|
| trackmesplkflxconverging tenants_scope=<comma separated lists of tenants where entities should be sourced from> object=<object> object_description=<object description> group=<group> root_constraint=<root constraint> consider_orange_as_up=<True|False> remove_extra_attributes=<true|false> min_pct_for_green=<minimum percentage of availability required for the status to be green (1). Default is 100>
|
|
comment1 = \
|
|
This example shows the converging trackers for the splk-flx component
|
|
example1 = \
|
|
| trackmesplkflxconverging tenants_scope="mytenant1,mytenant2" object="sla-service-demo" object_description="Datamodels correlated KPI" group="datamodels" root_constraint="group=datamodels" consider_orange_as_up=True
|
|
shortdesc = TrackMe Splk Flex Objects converging tracking search parser
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Simple utility to extract stats for splk-dhm
|
|
[trackmestsummarysplkdhm-command]
|
|
syntax = | trackmestsummarysplkdhm
|
|
description = \
|
|
This streaming custom command is designed to extract statistics from the dictionnary for splk-dhm entities \
|
|
Syntax: \
|
|
| trackmestsummarysplkdhm
|
|
comment1 = \
|
|
This example retrieves the tenant JSON data according to the user's roles membership
|
|
example1 = \
|
|
| trackmestsummarysplkdhm
|
|
shortdesc = Python wrapper to extract statistics from the dictionnary for splk-dhm
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to check and preserve persistent fields from conflicting updates, as well as optionally inserting and updating records in the KVstore collection
|
|
[trackmepersistentfields-command]
|
|
syntax = | trackmepersistentfields collection=<collection> key=<key field> update_collection=<update or insert in the collection as needed>
|
|
description = \
|
|
This streaming custom command is designed to protect TrackMe persistent fields from conficting updates, as well as optionally replacing the Splunk outputlookup command \
|
|
Syntax: \
|
|
| trackmepersistentfields collection=<collection> key=<key field> update_collection=<update or insert in the collection as needed>
|
|
comment1 = \
|
|
This example is called by TrackMe in the outputlookup macro
|
|
example1 = \
|
|
| trackmepersistentfields collection="$collection$" key="$key$" update_collection="True"
|
|
shortdesc = Python wrapper to prevent conflicting updates of TrackMe persistent fields, which can as well replace outputlookup
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command to parse search results for splk-wlk component
|
|
[trackmesplkwlkparse-command]
|
|
syntax = | trackmesplkwlkparse tenant_id=<tenant_id> context=<live|simulation> overgroup=<use the overgroup to override the grouping per app , optional> check_last_seen=<true|false> check_last_seen_field=<field name>
|
|
description = \
|
|
This streaming custom command is designed to parse search results for the purposes of the splk-wlk component \
|
|
Syntax: \
|
|
<upstream search> | trackmesplkwlkparse tenant_id=<tenant_id> context=<live|simulation> overgroup=<use the overgroup to override the grouping per app , optional> check_last_seen=<true|false> check_last_seen_field=<field name>
|
|
comment1 = \
|
|
This example parses upstream search results for the splk-wlk component
|
|
example1 = \
|
|
| trackmesplkwlkparse tenant_id="mytenant"
|
|
shortdesc = TrackMe Splk Workload search parser
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to load a list of fields and stored these and their value into a JSON formated field name metrics
|
|
[trackmegenjsonmetrics-command]
|
|
syntax = | trackmegenjsonmetrics fields=<command separated list of fields to include in the metrics field> add_root_label=<If submitted, generate a label with this value and store metrics into a sub-object> target=<Target field name> add_prefix=<Optionally as a prefix to the name of the fields> suppress_suffix=<Suppress the provided suffix from field names>
|
|
description = \
|
|
This streaming command can be used to generate a JSON formated field name metrics taking in input a list of fields \
|
|
Syntax: \
|
|
| trackmegenjsonmetrics fields=<command separated list of fields to include in the metrics field> add_root_label=<If submitted, generate a label with this value and store metrics into a sub-object> target=<Target field name> add_prefix=<Optionally as a prefix to the name of the fields> suppress_suffix=<Suppress the provided suffix from field names>
|
|
comment1 = \
|
|
This example generates the metrics field for the splk-wlk component for the scheduler
|
|
example1 = \
|
|
| trackmegenjsonmetrics fields="scheduler.count_completed,scheduler.count_execution,scheduler.count_skipped,scheduler.skipped_pct"
|
|
shortdesc = Generates a JSON formated metrics field from a comma separated list of fields
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to retrieve saved searches metadata
|
|
[trackmesplkwlkgetreportsdefstream-command]
|
|
syntax = | trackmesplkwlkgetreportsdefstream tenant_id=<tenant_id> context=<context, live|simulation> register_component=<register the component, True|False> report=<name of the report> check_orphan=<check the orphan status, True|False> max_runtime_sec=<max runtime job in seconds> filters_get_last_updates=<An optional search string to restrict the Search Head tiers when looking at the last updates of savedsearches (to identify who modified a search and when), defaults to host=*>
|
|
description = \
|
|
This streaming custom command is designed to retrieve Splunk saved searches metadata from upstream results \
|
|
Syntax: \
|
|
| trackmesplkwlkgetreportsdefstream tenant_id=<tenant_id> context=<context, live|simulation> register_component=<register the component, True|False> report=<name of the report> check_orphan=<check the orphan status, True|False> max_runtime_sec=<max runtime job in seconds> filters_get_last_updates=<An optional search string to restrict the Search Head tiers when looking at the last updates of savedsearches (to identify who modified a search and when), defaults to host=*>
|
|
comment1 = \
|
|
This example retrieves Splunk saved searches metadata from upstream results
|
|
example1 = \
|
|
| trackmesplkwlkgetreportsdefstream tenant_id="mytenant"
|
|
shortdesc = Python wrapper to retrieve Splunk saved searches metadata from upstream results in a streaming manner
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to verify the user owner of saved searches and dynamically retrieve the owner if not available in upstream results
|
|
[trackmesplkwlkgetreportowner-command]
|
|
syntax = | trackmesplkwlkgetreportowner tenant_id=<tenant_id>
|
|
description = \
|
|
This streaming custom command is designed to retrieve the Splunk user owner from upstream results \
|
|
Syntax: \
|
|
| trackmesplkwlkgetreportowner tenant_id=<tenant_id>
|
|
comment1 = \
|
|
This example retrieves the user owner from upstream results
|
|
example1 = \
|
|
| trackmesplkwlkgetreportowner tenant_id="mytenant"
|
|
shortdesc = Python wrapper to retrieve Splunk saved searches user owner from upstream results in a streaming manner
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command to retrieve saved searches metadata
|
|
[trackmesplkwlkgetreportsdefgen-command]
|
|
syntax = | trackmesplkwlkgetreportsdefgen tenant_id=<tenant_id> object_name=<object_name> object_id=<object_id>
|
|
description = \
|
|
This generating custom command is designed to retrieve Splunk saved searches metadata for a specific search \
|
|
Syntax: \
|
|
| trackmesplkwlkgetreportsdefgen tenant_id=<tenant_id> object_name=<object_name> object_id=<object_id>
|
|
comment1 = \
|
|
This example retrieves Splunk saved searches metadata from TrackMe's store for a specific search
|
|
example1 = \
|
|
| trackmesplkwlkgetreportsdefgen tenant_id="mytenant" object_name=<myuser:myapp:mysavedsearch>
|
|
shortdesc = Python wrapper to retrieve Splunk saved searches metadata for a specific search in a generating manner
|
|
|
|
# Generating command to manage splk-wlk records to be purged
|
|
[trackmesplkwlkinactiveinspector-command]
|
|
syntax = | trackmesplkwlkinactiveinspector tenant_id=<tenant_id> context=<context, live|simulation> report=<name of the report> max_days_since_inactivity=<max days of inactivity before being purged> register_component=<enable registering exceptions in the component>
|
|
description = \
|
|
The generating command is used to purge inactive entities in the Splunk Workload component \
|
|
Syntax: \
|
|
| trackmesplkwlkinactiveinspector tenant_id=<tenant_id> context=<context, live|simulation> report=<name of the report> max_days_since_inactivity=<max days of inactivity before being purged> register_component=<enable registering exceptions in the component>
|
|
comment1 = \
|
|
This generating command is used to maintain splk-wlk records to be purged
|
|
example1 = \
|
|
| trackmesplkwlkinactiveinspector tenant_id="mytenant"
|
|
shortdesc = Python wrapper to to load and purge inactive records in Splunk Workload
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to extract metrics from the JSON object
|
|
[trackmeextractjsonmetrics-command]
|
|
syntax = | trackmeextractjsonmetrics fields=<comma separated list of fields>
|
|
description = \
|
|
The streaming command extract all metrics from a JSON objects and add these to the output stream \
|
|
Syntax: \
|
|
| trackmeextractjsonmetrics fields=<comma separated list of fields>
|
|
comment1 = \
|
|
This streaming command is used to extract metrics from a JSON object
|
|
example1 = \
|
|
| trackmeextractjsonmetrics fields="metrics"
|
|
shortdesc = Python wrapper to extract JSON metrics and add to the output stream
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command utility for splk-dhm to extract and render the sourcetype summary JSON data
|
|
[trackmeextractsplkdhm-command]
|
|
syntax = | trackmeextractsplkdhm field_current=<comma separated list of fields> mode=<rendering mode, compact|full|both> tenant_id=<tenant identifier, used with gen_metrics=True> gen_metrics=<Generate metrics, True or False>
|
|
description = \
|
|
This streaming command is a command utility for splk-dhm to extract and render summary sourcetypes information \
|
|
Syntax: \
|
|
| trackmeextractsplkdhm field_current=<comma separated list of fields> mode=<rendering mode, compact|full|both> tenant_id=<tenant identifier, used with gen_metrics=True> gen_metrics=<Generate metrics, True or False>
|
|
comment1 = \
|
|
This streaming command is used by the splk-dhm component to render the sourcetype summary
|
|
example1 = \
|
|
| trackmeextractsplkdhm field_current="splk_dhm_st_summary" mode="both"
|
|
shortdesc = Python wrapper to extract and render sourcetype summary for splk-dhm
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command utility for splk-mhm to extract and render the metrics summary JSON data
|
|
[trackmeextractsplkmhm-command]
|
|
syntax = | trackmeextractsplkmhm field_current=<comma separated list of fields> mode=<rendering mode, compact|full|both> tenant_id=<tenant identifier, used with gen_metrics=True> gen_metrics=<Generate metrics, True or False>
|
|
description = \
|
|
This streaming command is a command utility for splk-mhm to extract and render summary sourcetypes information \
|
|
Syntax: \
|
|
| trackmeextractsplkmhm field_current=<comma separated list of fields> mode=<rendering mode, compact|full|both> tenant_id=<tenant identifier, used with gen_metrics=True> gen_metrics=<Generate metrics, True or False>
|
|
comment1 = \
|
|
This streaming command is used by the splk-mhm component to render the sourcetype summary
|
|
example1 = \
|
|
| trackmeextractsplkmhm field_current="metric_details" mode="both"
|
|
shortdesc = Python wrapper to extract and render sourcetype summary for splk-mhm
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command replica utility, to replicate and sync a source and target collection for replica tenants
|
|
[trackmereplicator-command]
|
|
syntax = | trackmereplicator component=<component name> source_tenant_id=<source tenant_id> target_tenant_id=<target tenant_id> key_field=<field cotaining the KVstore key>
|
|
description = \
|
|
This streaming command is a command sync utility to maintain a replica tenant_id collection for TrackMe \
|
|
Syntax: \
|
|
| trackmereplicator component=<component name> source_tenant_id=<source tenant_id> target_tenant_id=<target tenant_id> key_field=<field cotaining the KVstore key>
|
|
comment1 = \
|
|
This streaming command is used to maintain a replica Virtual Tenant collection for a given source and target tenant, and a given component
|
|
example1 = \
|
|
| trackmereplicator component=<component name> source_tenant_id="my_source_tenant" target_tenant_id="my_target_tenant" key_field="key"
|
|
shortdesc = Python wrapper to replicate and sync a KVstore collection for a replica Virtual Tenant
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command to orchestrate the execution of replica trackers
|
|
[trackmereplicaexecutor-command]
|
|
syntax = | trackmereplicaexecutor tenants_filter_list=<optional comma seperated list of tenants to be processed, use * for all> max_runtime_sec=<max allowed run time>
|
|
description = \
|
|
This generating custom command is used by TrackMe to orchestrate the execution of replica trackers \
|
|
Syntax: \
|
|
| trackmereplicaexecutor tenants_filter_list=<optional comma seperated list of tenants to be processed, use * for all> max_runtime_sec=<max allowed run time>
|
|
comment1 = \
|
|
This command orchestrates the execution of TrackMe replica trackers
|
|
example1 = \
|
|
| trackmereplicaexecutor tenants_filter_list="*" max_runtime_sec="300"
|
|
shortdesc = Python wrapper to orchestrate the execution of replica trackers
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command utility to automatically manage logical groups
|
|
[trackmeautogroup-command]
|
|
syntax = | trackmeautogroup tenant_id=<tenant_id> purge_single_member_grp=<purge the group if there only one member left, True|False>
|
|
description = \
|
|
This streaming command is an utility to automatically create and manage logical groups based on a upstream list of results, \
|
|
providing the following fields: object_group_name (name of the group), object_group_members (multi-value field listing the members of the group)
|
|
Syntax: \
|
|
| trackmeautogroup tenant_id=<tenant_id> purge_single_member_grp=<purge the group if there only one member left, True|False>
|
|
comment1 = \
|
|
This streaming command is a utility to create and manage logical groups based on a upstream logic
|
|
example1 = \
|
|
| trackmeautogroup component=<component name> source_tenant_id="my_source_tenant" target_tenant_id="my_target_tenant" key_field="key"
|
|
shortdesc = Python wrapper to automatically manage auto grouping of entities in logical groups
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Runs a TrackMe report for the purposes of executing TrackMe trackers by admin as the system user rather than the requester
|
|
[trackmeoneshotexecutor-command]
|
|
syntax = | trackmeoneshotexecutor tenant_id=<Tenant idenfitier> report=<The TrackMe report> earliest=<earliest quantifier> latest=<latest quantifier> use_savedsearch_time=<use the earliest and latest times of the savedsearch instead of the searchinfo earliest and latest times, True|False>
|
|
description = \
|
|
This command is designed to run a TrackMe tracker in a oneshot manner as the system user, it requires the trackmepoweroperations capability \
|
|
Syntax: \
|
|
| trackmeoneshotexecutor tenant_id=<Tenant idenfitier> report=<The TrackMe report> earliest=<earliest quantifier> latest=<latest quantifier> use_savedsearch_time=<use the earliest and latest times of the savedsearch instead of the searchinfo earliest and latest times, True|False>
|
|
comment1 = \
|
|
This examples runs a TrackMe tracker
|
|
example1 = \
|
|
| trackmeoneshotexecutor tenant_id="mytenant" report="my_tracker" earliest="-5m" latest="now"
|
|
shortdesc = Runs a TrackMe report for the purposes of executing TrackMe trackers by admin as the system user rather than the requester
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command listing Flex Object use cases
|
|
[trackmesplkflxgetuc-command]
|
|
syntax = | trackmesplkflxgetuc
|
|
description = \
|
|
This generating command lists use cases available from the Flex Objects library, \
|
|
Syntax: \
|
|
| trackmesplkflxgetuc
|
|
comment1 = \
|
|
This generating command lists use cases from the Flex Objects library
|
|
example1 = \
|
|
| trackmesplkflxgetuc component=<component name> source_tenant_id="my_source_tenant" target_tenant_id="my_target_tenant" key_field="key"
|
|
shortdesc = List use cases from the Flex Objects library
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command to manage splk-flx inactive entities
|
|
[trackmesplkflxinactiveinspector-command]
|
|
syntax = | trackmesplkflxinactiveinspector tenant_id=<tenant_id> context=<context, live|simulation> report=<name of the report> max_days_since_inactivity_before_purge=<max days of inactivity before being purged> register_component=<enable registering exceptions in the component>
|
|
description = \
|
|
The generating command is used to manage and purge inactive entities in the Splunk Flex Object component \
|
|
Syntax: \
|
|
| trackmesplkflxinactiveinspector tenant_id=<tenant_id> context=<context, live|simulation> report=<name of the report> max_days_since_inactivity_before_purge=<max days of inactivity before being purged> register_component=<enable registering exceptions in the component>
|
|
comment1 = \
|
|
This generating command is used to maintain inactive splk-flx records
|
|
example1 = \
|
|
| trackmesplkflxinactiveinspector tenant_id="mytenant"
|
|
shortdesc = Python wrapper to manage inactive entities in the Flex Object component
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command to manage splk-fqm inactive entities
|
|
[trackmesplkfqminactiveinspector-command]
|
|
syntax = | trackmesplkfqminactiveinspector tenant_id=<tenant_id> context=<context, live|simulation> report=<name of the report> max_days_since_inactivity_before_purge=<max days of inactivity before being purged> register_component=<enable registering exceptions in the component>
|
|
description = \
|
|
The generating command is used to manage and purge inactive entities in the Splunk Fields Quality component \
|
|
Syntax: \
|
|
| trackmesplkfqminactiveinspector tenant_id=<tenant_id> context=<context, live|simulation> report=<name of the report> max_days_since_inactivity_before_purge=<max days of inactivity before being purged> register_component=<enable registering exceptions in the component>
|
|
comment1 = \
|
|
This generating command is used to maintain inactive splk-fqm records
|
|
example1 = \
|
|
| trackmesplkfqminactiveinspector tenant_id="mytenant"
|
|
shortdesc = Python wrapper to manage inactive entities in the Fields Quality component
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command for splk-soar integration purposes
|
|
[trackmesplksoar-command]
|
|
syntax = | trackmesplksoar soar_server=<soar_server> action=<action> action_data=<json action data> action_params=<json action parameters>
|
|
description = \
|
|
The generating command is used is used to interract with Splunk SOAR \
|
|
Syntax: \
|
|
- soar_server: the name of the SOAR server as configured in the Splunk App for SOAR, \
|
|
- action: an action in the following support list: soar_get|soar_post|soar_test_apps|soar_health_status|soar_health_memory|soar_health_load|soar_automation_broker_manage, \
|
|
- action_data: a JSON formated object, either used by specific actions or used to perform a POST query to a SOAR endpoint \
|
|
- action_params: a JSON formated object, used to pass additional parameters to the action \
|
|
| trackmesplksoar soar_server=<soar_server> action=<action> action_data=<json action data>
|
|
comment1 = \
|
|
This generating command is used to interract with Splunk SOAR
|
|
example1 = \
|
|
| trackmesplksoar soar_server=lab action=soar_get action_data="{\"endpoint\": \"health\"}"
|
|
shortdesc = Generating command for TrackMe's Splunk SOAR integration
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command for splk-soar integration purposes
|
|
[trackmesplksoarlookup-command]
|
|
syntax = | trackmesplksoarlookup soar_server=<soar_server> endpoint_target=<endpoint_target> source_field=<source_field> dest_field_name=<dest_field_name> dest_field_definition=<dest_field_definition> definition_filter_fields=<A comma separated list of fields to retrieve from the definition>
|
|
description = \
|
|
This streaming command can be used to interact with the SOAR API in a lookup way, so that from an id of an object, its definition can be retrieved easily in native SPL \
|
|
Syntax: \
|
|
- soar_server: the name of the SOAR server as configured in the Splunk App for SOAR, \
|
|
- endpoint_target: the endpoint target for the object to lookup\
|
|
- source_field: the name of the field containing the object id, \
|
|
- dest_field_name: the name of the field to store the logical name of the corresponding object retrieved from this id (if any!), \
|
|
- dest_field_definition: the name of the field to store the definition of the corresponding object retrieved from this id (if any!) \
|
|
- definition_filter_fields: a comma separated list of fields to retrieve from the definition \
|
|
| trackmesplksoarlookup soar_server=<soar_server> endpoint_target=<endpoint_target> source_field=<source_field> dest_field_name=<dest_field_name> dest_field_definition=<dest_field_definition> definition_filter_fields=<A comma separated list of fields to retrieve from the definition>
|
|
comment1 = \
|
|
Lookup the definition of a SOAR object from its id in a streaming manner
|
|
example1 = \
|
|
| makeresults | eval asset=1 | trackmesplksoarlookup soar_server=* endpoint_target=asset source_field=asset dest_field_name=asset_name dest_field_definition=asset_definition definition_filter_fields="name,description"
|
|
shortdesc = Streaming command for TrackMe's Splunk SOAR integration
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# CMDB lookup integrator
|
|
[trackmesplkcmdb-command]
|
|
syntax = | trackmesplkcmdb tenant_id=<the tenant identifier> component=<the TrackMe component> object=<Optional, the object name> object_id=<Optional, the object identifier>
|
|
description = \
|
|
This command is used for the purposes of querying a CMDB to retrieve information for a given TrackMe entity \
|
|
Syntax: \
|
|
| trackmesplkcmdb tenant_id=<the tenant identifier> component=<the TrackMe component> object=<Optional, the object name> object_id=<Optional, the object identifier>
|
|
comment1 = \
|
|
This example retrieves a given entity information from your CMDB
|
|
example1 = \
|
|
| trackmesplkcmdb component="dsm" tenant_id="mytenant" object="network:pan:traffic"
|
|
shortdesc = Query your CMDB from TrackMe
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Stateful alert pre-filtering command
|
|
[trackmestateful-command]
|
|
syntax = | trackmestateful tenant_id=<the tenant identifier>
|
|
description = \
|
|
This generating command performs pre-filtering for stateful alerts by executing a simplified stateful alert search and applying filtering logic to ensure only valid events are yielded. \
|
|
The command filters events based on monitored_state, maintenance mode, ack status, object_state validation, and stateful record timing constraints. \
|
|
Syntax: \
|
|
| trackmestateful tenant_id=<the tenant identifier>
|
|
comment1 = \
|
|
This example pre-filters stateful alert events for a tenant, ensuring only events that should be processed are yielded
|
|
example1 = \
|
|
| trackmestateful tenant_id="mytenant"
|
|
shortdesc = Pre-filter stateful alert events to ensure state changes are never missed
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to expand the ML model outliers
|
|
[trackmesplkoutliersexpand-command]
|
|
syntax = | trackmesplkoutliersexpand
|
|
description = \
|
|
This command retrieves and expands the ML Outliers models data \
|
|
Syntax: \
|
|
| inputlookup trackme_flx_outliers_entity_data_tenant_mytenant | trackmesplkoutliersexpand
|
|
comment1 = \
|
|
This command retrieves and expands the ML Outliers models data
|
|
example1 = \
|
|
| inputlookup trackme_flx_outliers_entity_data_tenant_mytenant | trackmesplkoutliersexpand
|
|
shortdesc = Streaming command to expand the ML Outliers models data
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to expand the Flex Object extra_attributes
|
|
[trackmesplkflxexpandextra-command]
|
|
syntax = | trackmesplkflxexpandextra target=<target field name containing the list of objects stored in extra_attributes, defaults to objects>
|
|
description = \
|
|
This command retrieves and expands the extra_attributes field for Flex Objects \
|
|
Syntax: \
|
|
| inputlookup trackme_flx_outliers_entity_data_tenant_mytenant | trackmesplkflxexpandextra
|
|
comment1 = \
|
|
This command retrieves and expands the extra_attributes field for Flex Objects
|
|
example1 = \
|
|
| inputlookup trackme_flx_outliers_entity_data_tenant_mytenant | trackmesplkflxexpandextra
|
|
shortdesc = Streaming command to expand the extra_attributes field for Flex Objects
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to extract and define the dcount to be used for splk-dsm
|
|
[trackmesplksetcurrentdcounthost-command]
|
|
syntax = | trackmesplksetcurrentdcounthost
|
|
description = \
|
|
This command defines the dcount host treshold for splk-dsm \
|
|
Syntax: \
|
|
| trackmesplksetcurrentdcounthost
|
|
comment1 = \
|
|
This command defines the dcount host treshold for splk-dsm
|
|
example1 = \
|
|
| inputlookup trackme_dsm_tenant_mytenant | trackmesplksetcurrentdcounthost
|
|
shortdesc = Retrieve and define the dcount host threshold for splk-dsm
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command for adaptive delay inspector
|
|
[trackmesplkadaptivedelay-command]
|
|
syntax = | trackmesplkadaptivedelay tenant_id=<tenant identifier> component=<component name> min_delay_sec=<integer> min_historical_metrics_days=<integer> earliest_time_mstats=<earliest time for mstats> max_runtime=<max runtime for the job in seconds> max_auto_delay_sec=<The maximal delay value that the adaptive backend can set> max_changes_past_7days=<The maximal number of changes that can be performed in a 7 days time frame> review_period_no_days=<The relative time period for review. When entities were updated, TrackMe will review over time the behaviour and eventually adapt the threshold to take into accoount new patterns, expressed in number of days, valid options: 7, 15, 30> max_sla_percentage=<Entities with an SLA percentage greater than this value will not be processed to prevent from updating highly stable entities>
|
|
description = \
|
|
This command inspects delayed entities for splk-feeds components and define an adaptive threshold delay value \
|
|
Syntax: \
|
|
| trackmesplkadaptivedelay tenant_id=<tenant identifier> component=<component name> min_delay_sec=<integer> min_historical_metrics_days=<integer> earliest_time_mstats=<earliest time for mstats> max_runtime=<max runtime for the job in seconds> max_auto_delay_sec=<The maximal delay value that the adaptive backend can set> max_changes_past_7days=<The maximal number of changes that can be performed in a 7 days time frame> review_period_no_days=<The relative time period for review. When entities were updated, TrackMe will review over time the behaviour and eventually adapt the threshold to take into accoount new patterns, expressed in number of days, valid options: 7, 15, 30> max_sla_percentage=<Entities with an SLA percentage greater than this value will not be processed to prevent from updating highly stable entities>
|
|
comment1 = \
|
|
This command inspects delayed entities and define adaptive delay threshold
|
|
example1 = \
|
|
| trackmesplkadaptivedelay tenant_id=01-feeds component=dsm
|
|
shortdesc = Generating command to inspect delayed entities and define adaptive delay threshold
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command used to generate the search string filter for maintenance knowledge database in SLA calculations
|
|
[trackmereturnmaintenancedb-command]
|
|
syntax = | trackmereturnmaintenancedb tenant_id=<tenant identifier>
|
|
description = \
|
|
This command generates the search string where filter for the maontenance knowledge database in SLA calculations \
|
|
Syntax: \
|
|
| trackmereturnmaintenancedb tenant_id=<tenant identifier>
|
|
comment1 = \
|
|
This command returns the search string where filter for the maintenance knowledge database in SLA calculations
|
|
example1 = \
|
|
| trackmereturnmaintenancedb tenant_id="mytenant"
|
|
shortdesc = Returns the search string where filter for the maintenance knowledge database in SLA calculations
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# TrackMe decision maker backend
|
|
[trackmedecisionmaker-command]
|
|
syntax = | trackmedecisionmaker tenant_id=<tenant identifier> component=<component name>
|
|
description = \
|
|
This streaming command is TrackMe's decision maker backend, which is used to defines entities status. \
|
|
Syntax: \
|
|
| trackmedecisionmaker
|
|
comment1 = \
|
|
TrackMe decision maker defines the status of entities depending on the components and their context
|
|
example1 = \
|
|
| trackmedecisionmaker
|
|
shortdesc = TrackMe decision maker defines the status of entities depending on the components and their context
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# TrackMe splk-dsm tags tracker
|
|
[trackmesplktags-command]
|
|
syntax = | trackmesplktags tenant_id=<tenant identifier> component=<component name>
|
|
description = \
|
|
This generating command applies the tags policies for splk-dsm, it acts as an SPL wrapper to the TrackMe REST API endpoint. \
|
|
Syntax: \
|
|
| trackmesplktags tenant_id=<tenant identifier> component=<component name>
|
|
comment1 = \
|
|
TrackMe tags tracker for splk-dsm
|
|
example1 = \
|
|
| trackmesplktags tenant_id="mytenant" component="dsm"
|
|
shortdesc = TrackMe tags tracker for splk-dsm
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# TrackMe priority tracker
|
|
[trackmesplkpriority-command]
|
|
syntax = | trackmesplkpriority tenant_id=<tenant identifier> component=<component name>
|
|
description = \
|
|
This generating command applies the priority policies, it acts as an SPL wrapper to the TrackMe REST API endpoint. \
|
|
Syntax: \
|
|
| trackmesplkpriority tenant_id=<tenant identifier> component=<component name>
|
|
comment1 = \
|
|
TrackMe priority tracker
|
|
example1 = \
|
|
| trackmesplkpriority tenant_id="mytenant" component="dsm"
|
|
shortdesc = TrackMe priority tracker
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# TrackMe General Health Manager
|
|
[trackmegeneralhealthmanager-command]
|
|
syntax = | trackmegeneralhealthmanager
|
|
description = \
|
|
This command executes TrackMe general health manager tasks \
|
|
Syntax: \
|
|
| trackmegeneralhealthmanager
|
|
comment1 = \
|
|
This command executes TrackMe general health manager tasks
|
|
example1 = \
|
|
| trackmegeneralhealthmanager
|
|
shortdesc = TrackMe General Health Manager
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# TrackMe get component data with pagination for high scaling
|
|
[trackmegetcoll-command]
|
|
syntax = | trackmegetcoll tenant_id=<tenant identifier> component=<component name> mode=<the command mode, valid options are: records|stats, defaults to records> mode_view=<The mode_view, when applicable. Default is "minimal", valid options: minimal, full.> filter_key=<Optionnally filter on a given record using its key id> filter_object=<Optionnally filter on a given object name>
|
|
description = \
|
|
This generating command retrieves records from a TrackMe KVstore collection with pagination and filtering capabilities for fast queries. \
|
|
Syntax: \
|
|
| trackmegetcoll tenant_id=<tenant identifier> component=<component name> mode=<the command mode, valid options are: records|stats, defaults to records> mode_view=<The mode_view, when applicable. Default is "minimal", valid options: minimal, full.> filter_key=<Optionnally filter on a given record using its key id> filter_object=<Optionnally filter on a given object name>
|
|
comment1 = \
|
|
TrackMe get component data with pagination for high scaling
|
|
example1 = \
|
|
| trackmegetcoll tenant_id="mytenant" component="flx"
|
|
shortdesc = TrackMe get component data with pagination for high scaling
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# TrackMe perf get coll for testing purposes
|
|
[trackmegetlogicalgroups-command]
|
|
syntax = | trackmegetlogicalgroups tenant_id=<tenant identifier>
|
|
description = \
|
|
This generating command retrieves retrieves the logical groups for verification purposes \
|
|
Syntax: \
|
|
| trackmegetlogicalgroups tenant_id=<tenant identifier>
|
|
comment1 = \
|
|
TrackMe get logical groups
|
|
example1 = \
|
|
| trackmegetlogicalgroups tenant_id="mytenant"
|
|
shortdesc = Get logical groups
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# SLA class tracker wrapper
|
|
[trackmesplkslaclass-command]
|
|
syntax = | trackmesplkslaclass tenant_id=<the tenant identifier> component=<component>
|
|
description = \
|
|
This generating command is used by the SLA tracker for the purposes of maintaining the SLA policies features.\
|
|
Syntax: \
|
|
| trackmesplkslaclass tenant_id=the tenant identifier> component=<component>
|
|
comment1 = \
|
|
Example of a tracker
|
|
example1 = \
|
|
| trackmesplkslaclass tenant_id="mytenant" component="dsm"
|
|
shortdesc = Maintains SLA policies
|
|
|
|
# Streaming command to calculate the object keyid
|
|
[trackmehashobject-command]
|
|
syntax = | trackmehashobject input_field="<field containing the object name>" output_field=<field containing the object keyid>
|
|
description = \
|
|
This command is used to calculate the sha256 keyid derivated from object, taking in charge non unicode characters \
|
|
Syntax: \
|
|
| trackmehashobject input_field="<field containing the object name>" output_field=<field containing the object keyid>
|
|
comment1 = \
|
|
This command is used to calculate the sha256 keyid derivated from object, taking in charge non unicode characters
|
|
example1 = \
|
|
| makeresults | eval object="myobject" | trackmehashobject input_field="object" output_field="object_keyid"
|
|
shortdesc = This command is used to calculate the sha256 keyid derivated from object, taking in charge non unicode characters
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# trackmemergesplkdhm - streaming
|
|
[trackmemergesplkdhm-command]
|
|
syntax = | trackmemergesplkdhm field_host=<field containing the host value> field_current=<field containing the current summary JSON> field_previous=<field containing the previous summary JSON> field_output=<field containing the output summary JSON>
|
|
description = \
|
|
This stream custom command is used by splk-dhm to merge current and previous knowledge on a per entity basis. \
|
|
Syntax: \
|
|
| trackmemergesplkdhm field_host=<field containing the host value> field_current=<field containing the current summary JSON> field_previous=<field containing the previous summary JSON> field_output=<field containing the output summary JSON>
|
|
comment1 = \
|
|
This stream custom command is used by splk-dhm to merge current and previous knowledge on a per entity basis.
|
|
example1 = \
|
|
| trackmemergesplkdhm field_host="host" field_current="current_summary" field_previous="previous_summary"
|
|
shortdesc = This stream custom command is used by splk-dhm to merge current and previous knowledge on a per entity basis.
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# trackmemergesplkmhm - streaming
|
|
[trackmemergesplkmhm-command]
|
|
syntax = | trackmemergesplkmhm field_host=<field containing the host value> field_current=<field containing the current summary JSON> field_previous=<field containing the previous summary JSON> field_output=<field containing the output summary JSON>
|
|
description = \
|
|
This stream custom command is used by splk-mhm to merge current and previous knowledge on a per entity basis. \
|
|
Syntax: \
|
|
| trackmemergesplkmhm field_host=<field containing the host value> field_current=<field containing the current summary JSON> field_previous=<field containing the previous summary JSON> field_output=<field containing the output summary JSON>
|
|
comment1 = \
|
|
This stream custom command is used by splk-mhm to merge current and previous knowledge on a per entity basis.
|
|
example1 = \
|
|
| trackmemergesplkmhm field_host="host" field_current="current_summary" field_previous="previous_summary"
|
|
shortdesc = This stream custom command is used by splk-mhm to merge current and previous knowledge on a per entity basis.
|
|
usage = public
|
|
tags = trackme
|
|
|
|
[trackmegetkos-command]
|
|
syntax = | trackmegetkos tenant_id=<tenant identifier>
|
|
description = \
|
|
This command is a simple generating command to retrieve the list of knowledge objects for a given tenant \
|
|
Syntax: \
|
|
| trackmegetkos tenant_id=<tenant identifier>
|
|
comment1 = \
|
|
This example retrieves all knowledge objects for a given tenant
|
|
example1 = \
|
|
| trackmegetconf tenant_id=mytenant
|
|
shortdesc = Retrieve TrackMe Virtual Tenants knowledge objects
|
|
usage = public
|
|
tags = trackme
|
|
|
|
[trackmecheckbackups-command]
|
|
syntax = | trackmecheckbackups archives_list="<comma separated list of archives>"
|
|
description = \
|
|
This command can be used to iterate through TrackMe backup archives, check and extract detailed information including knowledge objects \
|
|
Syntax: \
|
|
| trackmecheckbackups archives_list="<comma separated list of archives>"
|
|
comment1 = \
|
|
This example checks all backups archives available on the server
|
|
example1 = \
|
|
| trackmecheckbackups archives_list="trackme-backup-20241120-223310.tgz,trackme-backup-20241119-232503.tgz"
|
|
shortdesc = Check and extract detailed information from TrackMe backup archives
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# TrackMe Splunk Feeds Delayed Inspector command
|
|
[trackmesplkfeedsdelayedinspector-command]
|
|
syntax = | trackmesplkfeedsdelayedinspector tenant_id=<tenant identifier> component=<component> max_runtime=<max runtime in seconds> object_name=<object name>
|
|
description = \
|
|
This command is designed to execute the delayed entities inspector for Splunk feeds \
|
|
Syntax: \
|
|
| trackmesplkfeedsdelayedinspector tenant_id=<tenant identifier> component=<component> max_runtime=<max runtime in seconds> object_name=<object name>
|
|
comment1 = \
|
|
This example executes the delayed entities inspector for a specific tenant and component
|
|
example1 = \
|
|
| trackmesplkfeedsdelayedinspector tenant_id="mytenant" component="splk-dsm" max_runtime=300 object_name="test_feed"
|
|
shortdesc = Execute the delayed entities inspector for Splunk feeds
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# A generating command to test remote accounts
|
|
[trackmetestremoteaccounts-command]
|
|
syntax = | trackmetestremoteaccounts accounts=<comma separated list of accounts>
|
|
description = \
|
|
This generating command is used to test remote accounts \
|
|
Syntax: \
|
|
| trackmetestremoteaccounts accounts=<comma separated list of accounts>
|
|
comment1 = \
|
|
This example tests the remote accounts
|
|
example1 = \
|
|
| trackmetestremoteaccounts accounts="myaccount,myotheraccount"
|
|
shortdesc = Test remote accounts
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# TrackMe Fields Quality command
|
|
[trackmefieldsquality-command]
|
|
syntax = | trackmefieldsquality fields_to_check_list=<list of fields> fields_to_check_fieldname=<fieldname containing list> fields_to_check_dict=<JSON dictionary> fields_to_check_dict_path=<path to JSON file> fields_to_check_dict_fieldname=<fieldname containing JSON dictionary> fields_to_check_search_command=<search command to generate the dictionary of fields to check> include_field_values=<boolean> pretty_print_json=<boolean> output_mode=<json|raw> summary_fieldname=<name of the summary field> metadata_fieldname=<name of the metadata field> metadata_fields=<CSV list of metadata fields>
|
|
description = \
|
|
This command checks the quality of fields in records based on specified criteria. It can validate fields against a list, a fieldname, a JSON dictionary, or a JSON file. Optionally, it can include field values in the output and pretty print the JSON summary. The 'output_mode' option allows specifying the format of the output, either 'json' or 'raw'. The 'summary_fieldname' option defines the name of the summary field, and the 'metadata_fieldname' option defines the name of the metadata field added to the summary JSON. The 'metadata_fields' option allows specifying additional metadata fields to include in the JSON summary. The 'time_mode' option specifies the time generation mode, with valid options being 'event' or 'now'.\
|
|
Syntax: \
|
|
| trackmefieldsquality fields_to_check_list=<list of fields> fields_to_check_fieldname=<fieldname containing list> fields_to_check_dict=<JSON dictionary> fields_to_check_dict_path=<path to JSON file> fields_to_check_dict_fieldname=<fieldname containing JSON dictionary> fields_to_check_search_command=<search command to generate the dictionary of fields to check> include_field_values=<boolean> pretty_print_json=<boolean> output_mode=<json|raw> summary_fieldname=<name of the summary field> metadata_fieldname=<name of the metadata field> metadata_fields=<CSV list of metadata fields>
|
|
comment1 = \
|
|
This example checks fields quality, specifies the output mode as 'json', uses custom field names for summary and metadata, includes additional metadata fields, and sets the time mode to 'event'.
|
|
example1 = \
|
|
| trackmefieldsquality fields_to_check_list="field1,field2" output_mode="json" summary_fieldname="custom_summary" metadata_fieldname="custom_metadata" metadata_fields="field1,field2" time_mode="event"
|
|
shortdesc = Check the quality of fields in records, specify output mode, customize field names, include additional metadata fields, and set time mode
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to extract results from trackmefieldsquality
|
|
[trackmefieldsqualityextract-command]
|
|
syntax = | trackmefieldsqualityextract input_field=<field containing the JSON data> metadata_fieldname=<name of the metadata field>
|
|
description = \
|
|
This command extracts results from trackmefieldsquality and creates a new record for each field. \
|
|
Syntax: \
|
|
| trackmefieldsqualityextract input_field=<field containing the JSON data> metadata_fieldname=<name of the metadata field>
|
|
comment1 = \
|
|
This example extracts results from trackmefieldsquality and creates a new record for each field.
|
|
example1 = \
|
|
| trackmefieldsqualityextract input_field="_raw" metadata_fieldname="metadata"
|
|
shortdesc = Extract results from trackmefieldsquality and create a new record for each field
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to generate summary of trackmefieldsquality
|
|
[trackmefieldsqualitygensummary-command]
|
|
syntax = | trackmefieldsqualitygensummary maxvals=<max number of distinct values to report> fieldvalues_format=<format of field_values, either list or csv> groupby_metadata_fields=<comma separated list of metadata fields to group by in addition to fieldname>
|
|
description = \
|
|
This command generates a summary of the quality of fields in records. \
|
|
Syntax: \
|
|
| trackmefieldsqualitygensummary maxvals=<max number of distinct values to report> fieldvalues_format=<format of field_values, either list or csv> groupby_metadata_fields=<comma separated list of metadata fields to group by in addition to fieldname>
|
|
comment1 = \
|
|
This example generates a summary of the quality of fields in records.
|
|
example1 = \
|
|
| trackmefieldsqualitygensummary maxvals=15 fieldvalues_format=csv groupby_metadata_fields="metadata.datamodel,metadata.nodename,metadata.index,metadata.sourcetype"
|
|
shortdesc = Generate summary of the quality of fields in records
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Generating command to generate the dictionary of fields to check for CIM compliance
|
|
[trackmefieldsqualitygendict-command]
|
|
syntax = | trackmefieldsqualitygendict datamodel=<datamodel name> show_only_recommended_fields=<boolean> allow_unknown=<boolean> allow_empty_or_missing=<boolean>
|
|
description = \
|
|
This command generates the dictionary of fields to check for CIM compliance. \
|
|
Syntax: \
|
|
| trackmefieldsqualitygendict datamodel=<datamodel name> show_only_recommended_fields=<boolean> allow_unknown=<boolean> allow_empty_or_missing=<boolean>
|
|
comment1 = \
|
|
This example generates the dictionary of fields to check for CIM compliance.
|
|
example1 = \
|
|
| trackmefieldsqualitygendict datamodel="Authentication" show_only_recommended_fields=true
|
|
shortdesc = Generate the dictionary of fields to check for CIM compliance
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to push undiscovered entities to splk-dsm
|
|
[trackmepushdatasource-command]
|
|
syntax = trackmepushdatasource tenant_id=<string> search_type=(tstats|raw) [show_search_query=<bool>] [show_search_results=<bool>] [pretend_latest=<string>] show_search_results=<bool> show_search_query=<bool> pretend_latest=<string> component=<component, dsm or dhm>
|
|
shortdesc = Pushes data source information to TrackMe splk-dsm collection.
|
|
description = Processes incoming records containing object, index, and sourcetype fields. Checks if objects exist in the KV store collection and adds missing ones. \
|
|
The command requires a tenant_id and search_type (tstats or raw) to be specified. Optional parameters allow controlling the output format and time settings.
|
|
example1 = | inputlookup ds_expected.csv | eval object = index . ":" . sourcetype | trackmepushdatasource component=dsm search_type=tstats tenant_id=mytenant show_search_query=True show_search_results=True pretend_latest="-24h"
|
|
example2 = | inputlookup ds_expected.csv | eval object = index . ":" . sourcetype | trackmepushdatasource component=dsm search_type=tstats tenant_id=mytenant show_search_query=True show_search_results=True pretend_latest="-24h"
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# Streaming command to expand tokens in a streaming fashion
|
|
[trackmeexpandtokens-command]
|
|
syntax = | trackmeexpandtokens
|
|
description = \
|
|
This command expands tokens in a streaming fashion. \
|
|
Syntax: \
|
|
| trackmeexpandtokens
|
|
comment1 = \
|
|
This example expands tokens in a streaming fashion.
|
|
example1 = | makeresults | eval user="foo", count="10" | eval result="user $user$ has done $count$ attempts" | trackmeexpandtokens
|
|
shortdesc = Expand tokens in a streaming fashion
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# TrackMe Splunk Feeds Fields Quality command
|
|
[trackmesplkfqmparse-command]
|
|
syntax = | trackmesplkfqmparse tenant_id=<tenant identifier> context=<context, live or simulation> object_metadata_list=<comma separated list of metadata fields> default_threshold_fields=<default threshold for fields> default_threshold_global=<default threshold for global> max_sec_inactive=<max seconds inactive> tracker_name=<tracker name> tracker_index=<tracker index>
|
|
description = \
|
|
This command is used to parse the fields quality of a Splunk feed. \
|
|
Syntax: \
|
|
| trackmesplkfqmparse tenant_id=<tenant identifier> context=<context, live or simulation> object_metadata_list=<comma separated list of metadata fields> default_threshold_fields=<default threshold for fields> default_threshold_global=<default threshold for global> max_sec_inactive=<max seconds inactive> tracker_name=<tracker name> tracker_index=<tracker index>
|
|
comment1 = \
|
|
This example parses the fields quality of a Splunk feed.
|
|
example1 = | trackmesplkfqmparse tenant_id="mytenant" context="live" group_name_field="group_name" sub_group_name_field="sub_group_name" object_metadata_list="metadata.datamodel,metadata.nodename,metadata.index,metadata.sourcetype" default_threshold_fields=99 default_threshold_global=100 max_sec_inactive=604800 tracker_name="mytracker" tracker_index=summary
|
|
shortdesc = Parse the fields quality of a Splunk feed
|
|
usage = public
|
|
tags = trackme
|
|
|
|
# trackmeyamlpath, a streaming custom command to parse YAML in a streaming fashion
|
|
[trackmeyamlpath-command]
|
|
syntax = | trackmeyamlpath yaml_fieldname=<field containing the YAML data, default to _raw>
|
|
description = \
|
|
This command parses YAML in a streaming fashion. \
|
|
Syntax: \
|
|
| trackmeyamlpath yaml_fieldname=<field containing the YAML data, default to _raw>
|
|
comment1 = \
|
|
This example parses YAML in a streaming fashion.
|
|
example1 = | trackmeyamlpath yaml_fieldname="yaml_data"
|
|
shortdesc = Parse YAML in a streaming fashion
|
|
usage = public
|
|
tags = trackme
|