Related Answers
This documentation does not apply to the most recent version of ITSI.
Click here for the latest version.
Download topic as PDF
savedsearches.conf
The following are the spec and example files for savedsearches.conf.
savedsearches.conf.spec
# This file contains possible attribute/value pairs for saved search entries in # savedsearches.conf. You can configure saved searches by creating your own # savedsearches.conf. # # There is a default savedsearches.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default. To # set custom configurations, place a savedsearches.conf in # $SPLUNK_HOME/etc/apps/SA-ITOA/local/. For examples, see # savedsearches.conf.example. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
Ping
action.itsi_sample_event_action_ping.param.host = <string> * Field in the event indicating the host to ping. * Required. If no value is provided, no host will be pinged. * Set to $result.host$ or $result.server$ etc...
Event generator settings
action.itsi_event_generator = <boolean> * Whether the alert is enabled. action.itsi_event_generator.param.title = <string> * The title of the notable event in Episode Review. * Optional. If title is not provided then the search name becomes the title. action.itsi_event_generator.param.description = <string> * A description of the notable event. * Optional. If a description is not provided then the search description becomes the event description. action.itsi_event_generator.param.owner = <string> * The initial owner of the notable event. * Optional. If an owner is not provided then default_owner is assigned. action.itsi_event_generator.param.status = <string> * The triage status of the event in Episode Review. * Values must match an integer specified in the default version of itsi_notable_event_status.conf (or the local version if you created one). * Optional. If a status is not provided then default_status is assigned. action.itsi_event_generator.param.severity = <string> * The level of importance of the event. * Values must match an integer specified in the default version of itsi_notable_event_severity.conf (or the local version if you created one). * Optional. If a severity is not provided then default_severity is assigned. action.itsi_event_generator.param.itsi_instruction = <string> * Instructions for how to address the notable event. * Must use tokens such as %fieldname% to map the field name from an external event. Static instructions are not supported. * You can use an aggregation policy to aggregate individual instructions into an episode. By default, episodes display the instructions for the first event in an episode. * Optional. action.itsi_event_generator.param.drilldown_search_title = <string> * You can drill down to a specific Splunk search from an event or episode. * The name of the drilldown search link. * Optional. action.itsi_event_generator.param.drilldown_search_search= <string> * The drilldown search string. * Optional. action.itsi_event_generator.param.drilldown_search_latest_offset = <seconds> * Defines how far ahead from the time of the event, in seconds, to look for related events. * This offset is added to the event time. * Optional. action.itsi_event_generator.param.drilldown_search_earliest_offset = <string> * Defines how far back from the time of the event, in seconds, to start looking for related events. * This offset is subtracted from the event time. * Optional. action.itsi_event_generator.param.drilldown_title = <string> * You can drill down to a specific website from an event or episode. * The name of the drilldown website link. * Optional. action.itsi_event_generator.param.drilldown_uri = <string> * The URI of the website you drill down to. * Optional. action.itsi_event_generator.param.event_identifier_fields = <comma-separated list> * A list of fields used to identify if a notable event is unique. * Optional. * This setting is useful for identifying if a given notable event is already present. * ITSI usually builds a hash using this set of fields. action.itsi_event_generator.param.service_ids = <comma-separated list> * A list of service IDs representing one or more ITSI services to which this correlation search applies. * Optional. action.itsi_event_generator.param.entity_lookup_field = <string> * The field in the data retrieved by the correlation search that is used to look up corresponding entities. For example, host. * Optional. action.itsi_event_generator.param.search_type = <string> * The search type. * Optional. * Default: custom action.itsi_event_generator.param.meta_data = <string> * The search type of any stored metadata. * Optional. action.itsi_event_generator.param.is_ad_at = <boolean> * Whether this correlation is created by enabling adaptive thresholding or anomaly detection (AT/AD) for KPIs or services. * Optional. * If "1", the correlation is created by AT/AD. * If "0", the correlation is not created by AT/AD. action.itsi_event_generator.param.ad_at_kpi_ids = <comma-separated list> * A list of KPIs where AT/AD is enabled. * Optional.
savedsearches.conf.example
# This is an example savedsearches.conf. Use this file to configure # saved searches. # # To use one or more of these configurations, copy the configuration block # into savedsearches.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/local. # You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles [Test ITSI Reporting Search] cron_schedule = */5 * * * * disabled = False dispatch.earliest_time = -5m dispatch.latest_time = now enableSched = True search = | stats count | eval demo="Demo Search" | fields - count action.itsi_event_generator = 1 action.itsi_event_generator.param.title = "Host $result.host$ is down" action.itsi_event_generator.param.description = Test if host $result.host$ is down or not action.itsi_event_generator.param.owner = admin action.itsi_event_generator.param.status = 1 action.itsi_event_generator.param.severity = 2 action.itsi_event_generator.param.drilldown_search_title = Raw search of seeing $result.host$ events action.itsi_event_generator.param.drilldown_search_search= index=_internal host="$result.host$" action.itsi_event_generator.param.drilldown_search_latest_offset = 30 action.itsi_event_generator.param.drilldown_search_earliest_offset = -30 action.itsi_event_generator.param.drilldown_title = Go to deep dive "$result.sourcetype$" action.itsi_event_generator.param.drilldown_uri = "/en-US/app/itsi/search/" [Test ITSI Notable Event Search] cron_schedule = */5 * * * * disabled = False dispatch.earliest_time = -5m dispatch.latest_time = now enableSched = True search = index=_internal | head 4 alert.digest_mode = 0 action.itsi_event_generator = 1 action.itsi_event_generator.param.title = "Host $result.host$ is down" action.itsi_event_generator.param.description = Test if host $result.host$ is down or not action.itsi_event_generator.param.owner = admin action.itsi_event_generator.param.status = 1 action.itsi_event_generator.param.severity = 2 action.itsi_event_generator.param.drilldown_search_title = Raw search of seeing $result.host$ events action.itsi_event_generator.param.drilldown_search_search= index=_internal host=$result.host$ action.itsi_event_generator.param.drilldown_search_latest_offset = 30 action.itsi_event_generator.param.drilldown_search_earliest_offset = -30 action.itsi_event_generator.param.drilldown_title = Go to deep dive "$result.sourcetype$" action.itsi_event_generator.param.drilldown_uri = "/en-US/app/itsi/search/"
Last modified on 14 April, 2020
|
PREVIOUS restmap.conf |
NEXT searchbnf.conf |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only
Feedback submitted, thanks!