Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Normalizing cheat sheets for the Content Pack for ITSI Monitoring and Alerting

Use these cheat sheets when normalizing an alert source. For the Eval/REX Expression section, write down how the value of this field is derived from SPL, as either an eval or rex expression. For example, for the src field, if an existing field can be aliased, express this as an eval function, then list the name of the existing field as the expression. In an SPL search, examples might look like this:

| eval src = nodename
or
| eval severity_id=case(status="down", 6, status="up", 2, 1=1, 1)
or
| rex "\"alert_name\":\"(?<signature>.*?)\""


Add the SPL from the example to a cheat sheet as shown in the following table.


Normalized Field

Eval or Extract?

Eval/REX Expression

Notes

src

eval

nodename

a simple alias

severity_id

eval

case(status="down", 6, status="up", 2, 1=1, 1)

can use any 'eval' expression

rex1

extract

\"alert_name\":\"(?<signature>.*?)\"

don't include the outermost quotation marks from the 'rex' statement

Other examples are listed in the tables that follow the blank cheat sheet.

Cheat Sheet - Blank

Item

Value

Notes

Source or Sourcetype

Ex: sourcetype=nagios

Index

Ex: index=alerts

Normalized Field

Eval or Extract?

Eval/REX Expression

Notes

itsiInclude

eval

“false”

(Recommended)
Do this one FIRST;

change to “true” AFTER testing

src

(Required)

if 'src' already exists and is unsuitable, alias it to 'orig_src'

signature

(Required)

vendor_severity

(Required)

severity_id

eval

(Required)

subcomponent

(Recommended)

May not be relevant for all alert sources

description

(Recommended)

app

eval

(Recommended)

itsiNotableTitle

(Optional)

itsiDrilldownSearch

(Optional)

itsiDrilldownURI

(Optional)

itsiDrilldownWeb

(Optional)

itsi_instruction

(Optional)

entity_name

(Optional)

Cheat Sheet - Nagios example

Nagios alerts tend to come in two flavors: service and host; each is formatted slightly differently, with some field name differences. The following example assumes that both flavors are in the same sourcetype. This is why some of the normalized fields below use coalesce rather than a simple alias.

Your Nagios implementation might have different fields and values than the examples shown here.

Item

Value

Notes

Source or Sourcetype

source-
type

nagios-alerts

Index

nagios

Normalized Field

Eval or Extract?

Eval/REX Expression

Notes

itsiInclude

eval

“false”

Do this one FIRST;

change to “true” AFTER testing
Double-quotes are needed

src

eval

src_host

alias for 'src_host'
ex: "server42"

signature

eval

coalesce(name,"check_host_availability")

ex: "check_cpu", "check_disk"

vendor_severity

eval

coalesce(severity, hoststate)

severity_id

eval

case(severity="CRITICAL", 6, severity="WARNING", 3, severity="OK", 2,
hoststate="down", 6,
hoststate="up", 2,
1=1, 1)

the last case statement will set severity to "unknown", if we go this far without matching

subcomponent

May not be relevant for all alert sources

description

eval

reason

alias for 'reason'
ex: "Memory utilization 90 is above threshold"

app

eval

"Nagios"

Double-quotes are needed

itsiNotableTitle

optional

itsiDrilldownSearch

optional

itsiDrilldownURI

optional

itsiDrilldownWeb

optional

itsi_instruction

optional

entity_name

optional

Cheat Sheet - Solarwinds example

Your Solarwinds implementation might have different fields and values than the examples shown here.

Item

Value

Notes

Source or Sourcetype

source-
type

solarwinds-alerts

Index

solarwinds

Normalized Field

Eval or Extract?

Eval/REX Expression

Notes

itsiInclude

eval

“false”

Do this one FIRST;

change to “true” AFTER testing

src

eval

nodename

alias for 'nodename'
ex: "server42"

signature

eval

AlertName

alias for 'AlertName'
ex: "Web Login Check"

vendor_severity

eval

status

alias for 'status'
ex: "up" or "down"

severity_id

eval

case(status="down", 6,
status="up", 2,
status="critical", 6,
status="warning", 3,
1=1, 1)

the last case statement will set severity to "unknown", if we go this far without matching

subcomponent

May not be relevant for all alert sources

description

eval

AlertDescription

alias for 'AlertDescription'

app

eval

"Solarwinds"

Double-quotes are needed

itsiNotableTitle

optional

itsiDrilldownSearch

optional

itsiDrilldownURI

eval

"http://solarwinds.mydomain.com/Orion/View.aspx?NetObject=%22 . NetObject"

this is an example

itsiDrilldownWeb

eval

"Orion Node Details"

this is an example

itsi_instruction

optional

entity_name

optional

Last modified on 27 October, 2021
PREVIOUS
About Universal Alerting in the Content Pack for ITSI Monitoring and Alerting
  NEXT
About the Content Pack for Microsoft 365

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters