This documentation does not apply to the most recent version of ITSI.
Click here for the latest version.

savedsearches.conf
The following are the spec and example files for savedsearches.conf
.
savedsearches.conf.spec
# This file contains possible attribute/value pairs for saved search entries in # savedsearches.conf. You can configure saved searches by creating your own # savedsearches.conf. # # There is a default savedsearches.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default. To # set custom configurations, place a savedsearches.conf in # $SPLUNK_HOME/etc/apps/SA-ITOA/local/. For examples, see # savedsearches.conf.example. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
Ping
action.itsi_sample_event_action_ping.param.host = <string> * Field in the event indicating the host to ping. * Required. If no value is provided, no host will be pinged. * Set to $result.host$ or $result.server$ etc...
Event generator settings
action.itsi_event_generator = <boolean> * Whether the alert is enabled. action.itsi_event_generator.param.title = <string> * The title of the notable event in Episode Review. * Optional. If title is not provided then the search name becomes the title. action.itsi_event_generator.param.description = <string> * A description of the notable event. * Optional. If a description is not provided then the search description becomes the event description. action.itsi_event_generator.param.owner = <string> * The initial owner of the notable event. * Optional. If an owner is not provided then default_owner is assigned. action.itsi_event_generator.param.status = <string> * The triage status of the event in Episode Review. * Values must match an integer specified in the default version of itsi_notable_event_status.conf (or the local version if you created one). * Optional. If a status is not provided then default_status is assigned. action.itsi_event_generator.param.severity = <string> * The level of importance of the event. * Values must match an integer specified in the default version of itsi_notable_event_severity.conf (or the local version if you created one). * Optional. If a severity is not provided then default_severity is assigned. action.itsi_event_generator.param.itsi_instruction = <string> * Instructions for how to address the notable event. * Must use tokens such as %fieldname% to map the field name from an external event. Static instructions are not supported. * You can use an aggregation policy to aggregate individual instructions into an episode. By default, episodes display the instructions for the first event in an episode. * Optional. action.itsi_event_generator.param.drilldown_search_title = <string> * You can drill down to a specific Splunk search from an event or episode. * The name of the drilldown search link. * Optional. action.itsi_event_generator.param.drilldown_search_search= <string> * The drilldown search string. * Optional. action.itsi_event_generator.param.drilldown_search_latest_offset = <seconds> * Defines how far ahead from the time of the event, in seconds, to look for related events. * This offset is added to the event time. * Optional. action.itsi_event_generator.param.drilldown_search_earliest_offset = <string> * Defines how far back from the time of the event, in seconds, to start looking for related events. * This offset is subtracted from the event time. * Optional. action.itsi_event_generator.param.drilldown_title = <string> * You can drill down to a specific website from an event or episode. * The name of the drilldown website link. * Optional. action.itsi_event_generator.param.drilldown_uri = <string> * The URI of the website you drill down to. * Optional. action.itsi_event_generator.param.event_identifier_fields = <comma-separated list> * A list of fields used to identify if a notable event is unique. * Optional. * This setting is useful for identifying if a given notable event is already present. * ITSI usually builds a hash using this set of fields. action.itsi_event_generator.param.service_ids = <comma-separated list> * A list of service IDs representing one or more ITSI services to which this correlation search applies. * Optional. action.itsi_event_generator.param.entity_lookup_field = <string> * The field in the data retrieved by the correlation search that is used to look up corresponding entities. For example, host. * Optional. action.itsi_event_generator.param.search_type = <string> * The search type. * Optional. * Default: custom action.itsi_event_generator.param.meta_data = <string> * The search type of any stored metadata. * Optional. action.itsi_event_generator.param.is_ad_at = <boolean> * Whether this correlation is created by enabling adaptive thresholding or anomaly detection (AT/AD) for KPIs or services. * Optional. * If "1", the correlation is created by AT/AD. * If "0", the correlation is not created by AT/AD. action.itsi_event_generator.param.ad_at_kpi_ids = <comma-separated list> * A list of KPIs where AT/AD is enabled. * Optional.
savedsearches.conf.example
# This is an example savedsearches.conf. Use this file to configure # saved searches. # # To use one or more of these configurations, copy the configuration block # into savedsearches.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/local. # You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles [Test ITSI Reporting Search] cron_schedule = */5 * * * * disabled = False dispatch.earliest_time = -5m dispatch.latest_time = now enableSched = True search = | stats count | eval demo="Demo Search" | fields - count action.itsi_event_generator = 1 action.itsi_event_generator.param.title = "Host $result.host$ is down" action.itsi_event_generator.param.description = Test if host $result.host$ is down or not action.itsi_event_generator.param.owner = admin action.itsi_event_generator.param.status = 1 action.itsi_event_generator.param.severity = 2 action.itsi_event_generator.param.drilldown_search_title = Raw search of seeing $result.host$ events action.itsi_event_generator.param.drilldown_search_search= index=_internal host="$result.host$" action.itsi_event_generator.param.drilldown_search_latest_offset = 30 action.itsi_event_generator.param.drilldown_search_earliest_offset = -30 action.itsi_event_generator.param.drilldown_title = Go to deep dive "$result.sourcetype$" action.itsi_event_generator.param.drilldown_uri = "/en-US/app/itsi/search/" [Test ITSI Notable Event Search] cron_schedule = */5 * * * * disabled = False dispatch.earliest_time = -5m dispatch.latest_time = now enableSched = True search = index=_internal | head 4 alert.digest_mode = 0 action.itsi_event_generator = 1 action.itsi_event_generator.param.title = "Host $result.host$ is down" action.itsi_event_generator.param.description = Test if host $result.host$ is down or not action.itsi_event_generator.param.owner = admin action.itsi_event_generator.param.status = 1 action.itsi_event_generator.param.severity = 2 action.itsi_event_generator.param.drilldown_search_title = Raw search of seeing $result.host$ events action.itsi_event_generator.param.drilldown_search_search= index=_internal host=$result.host$ action.itsi_event_generator.param.drilldown_search_latest_offset = 30 action.itsi_event_generator.param.drilldown_search_earliest_offset = -30 action.itsi_event_generator.param.drilldown_title = Go to deep dive "$result.sourcetype$" action.itsi_event_generator.param.drilldown_uri = "/en-US/app/itsi/search/"
Last modified on 14 April, 2020
PREVIOUS restmap.conf |
NEXT searchbnf.conf |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only
Feedback submitted, thanks!