Splunk® IT Service Intelligence

Administer Splunk IT Service Intelligence

Download manual as PDF

This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Download topic as PDF

savedsearches.conf

The following are the spec and example files for savedsearches.conf.

savedsearches.conf.spec

# This file contains possible attribute/value pairs for saved search entries in
# savedsearches.conf.  You can configure saved searches by creating your own
# savedsearches.conf.
#
# There is a default savedsearches.conf in $SPLUNK_HOME/etc/apps/itsi/default. To
# set custom configurations, place a savedsearches.conf in
# $SPLUNK_HOME/etc/apps/itsi/local/. For examples, see
# savedsearches.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

Ping

action.itsi_sample_event_action_ping.param.host = <string>
* Field in the event indicating the host to ping.
* Required. If no value is provided, no host will be pinged.
* Set to $result.host$ or $result.server$ etc...

Event generator settings

action.itsi_event_generator = <boolean>
* Whether the alert is enabled.

action.itsi_event_generator.param.title = <string>
* The title of the notable event in Episode Review. 
* Optional. If title is not provided then the search name 
  becomes the title.

action.itsi_event_generator.param.description = <string>
* A description of the notable event.
* Optional. If a description is not provided then the search
  description becomes the event description.

action.itsi_event_generator.param.owner = <string>
* The initial owner of the notable event.
* Optional. If an owner is not provided then default_owner is assigned.

action.itsi_event_generator.param.status = <string>
* The triage status of the event in Episode Review.
* Values must match an integer specified in the default version of 
  itsi_notable_event_status.conf (or the local version if you created one).
* Optional. If a status is not provided then default_status is assigned.

action.itsi_event_generator.param.severity = <string>
* The level of importance of the event. 
* Values must match an integer specified in the default version of 
  itsi_notable_event_severity.conf (or the local version if you created one).
* Optional. If a severity is not provided then default_severity is assigned.

action.itsi_event_generator.param.drilldown_search_title = <string>
* You can drill down to a specific Splunk search from an event or episode.	
* The name of the drilldown search link.
* Optional.

action.itsi_event_generator.param.drilldown_search_search= <string>
* The drilldown search string.
* Optional.

action.itsi_event_generator.param.drilldown_search_latest_offset = <seconds>
* Defines how far ahead from the time of the event, in seconds,
  to look for related events.
* This offset is added to the event time.
* Optional.

action.itsi_event_generator.param.drilldown_search_earliest_offset = <string>
* Defines how far back from the time of the event, in seconds,
  to start looking for related events.
* This offset is subtracted from the event time.
* Optional.

action.itsi_event_generator.param.drilldown_title = <string>
* You can drill down to a specific website from an event or episode.
* The name of the drilldown website link.
* Optional.

action.itsi_event_generator.param.drilldown_uri = <string>
* The URI of the website you drill down to.
* Optional.

action.itsi_event_generator.param.event_identifier_fields = <comma-separated list>
* A list of fields used to identify if a notable event is unique. 
* Optional.
* This setting is useful for identifying if a given notable event is already present. 
* ITSI usually builds a hash using this set of fields.

action.itsi_event_generator.param.service_ids = <comma-separated list>
* A list of service IDs representing one or more ITSI services to 
  which this correlation search applies.
* Optional.

action.itsi_event_generator.param.entity_lookup_field = <string>
* The field in the data retrieved by the correlation search that
  is used to look up corresponding entities. For example, host.
* Optional.

action.itsi_event_generator.param.search_type = <string>
* The search type.
* Optional.
* Default: custom

action.itsi_event_generator.param.meta_data = <string>
* The search type of any stored metadata.  
* Optional.

action.itsi_event_generator.param.is_ad_at =  <boolean>
* Whether this correlation is created by enabling adaptive 
  thresholding or anomaly detection (AT/AD) for KPIs or services.
* Optional.
* If "1", the correlation is created by AT/AD.
* If "0", the correlation is not created by AT/AD.

action.itsi_event_generator.param.ad_at_kpi_ids = <comma-separated list>
* A list of KPIs where AT/AD is enabled.
* Optional.

savedsearches.conf.example

# This is an example savedsearches.conf. Use this file to configure
# saved searches.
#
# To use one or more of these configurations, copy the configuration block
# into savedsearches.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/local.  
# You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see
# the documentation located at
# http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles

[Test ITSI Reporting Search]

cron_schedule                       = */5 * * * *
disabled                            = False
dispatch.earliest_time              = -5m
dispatch.latest_time                = now
enableSched                         = True
search                              = | stats count | eval demo="Demo Search" | fields - count

action.itsi_event_generator = 1

action.itsi_event_generator.param.title = "Host $result.host$ is down"

action.itsi_event_generator.param.description = Test if host $result.host$ is down or not

action.itsi_event_generator.param.owner = admin

action.itsi_event_generator.param.status = 1

action.itsi_event_generator.param.severity = 2

action.itsi_event_generator.param.drilldown_search_title = Raw search of seeing $result.host$ events

action.itsi_event_generator.param.drilldown_search_search= index=_internal host="$result.host$"

action.itsi_event_generator.param.drilldown_search_latest_offset = 30

action.itsi_event_generator.param.drilldown_search_earliest_offset = -30

action.itsi_event_generator.param.drilldown_title = Go to deep dive "$result.sourcetype$"

action.itsi_event_generator.param.drilldown_uri = "/en-US/app/itsi/search/"

[Test ITSI Notable Event Search]

cron_schedule                       = */5 * * * *
disabled                            = False
dispatch.earliest_time              = -5m
dispatch.latest_time                = now
enableSched                         = True
search                              = index=_internal | head 4

alert.digest_mode          = 0

action.itsi_event_generator = 1

action.itsi_event_generator.param.title = "Host $result.host$ is down"

action.itsi_event_generator.param.description = Test if host $result.host$ is down or not

action.itsi_event_generator.param.owner = admin

action.itsi_event_generator.param.status = 1

action.itsi_event_generator.param.severity = 2

action.itsi_event_generator.param.drilldown_search_title = Raw search of seeing $result.host$ events

action.itsi_event_generator.param.drilldown_search_search= index=_internal host=$result.host$

action.itsi_event_generator.param.drilldown_search_latest_offset = 30

action.itsi_event_generator.param.drilldown_search_earliest_offset = -30

action.itsi_event_generator.param.drilldown_title = Go to deep dive "$result.sourcetype$"

action.itsi_event_generator.param.drilldown_uri = "/en-US/app/itsi/search/"

PREVIOUS
restmap.conf
  NEXT
searchbnf.conf

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.3.0, 4.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters