Splunk® Infrastructure Monitoring Add-on

Splunk Infrastructure Monitoring Add-on

event query syntax

The event operator in the Splunk Infrastructure Monitoring Add-on retrieves Splunk Infrastructure Monitoring events generated by detectors. It uses the following syntax:

| sim event query=<string> limit=<integer> offset=<integer> org_id=<string>

The POST /v2/event API endpoint returns Splunk Infrastructure Monitoring-generated events. The events have a name prefixed by sf_ to indicate that Splunk Infrastructure Monitoring owns them.

Search parameters

Parameter Description Type Required Notes
query Search criteria that specifies the custom events you want to return. String Required The query parameter must be some combination of key:value pairs joined together by AND, OR or NOT. The available keys are: incidentId, is, sf_eventCategory, sf_eventCreatedOnMs, sf_eventType, sf_notificationString, sf_resolutionMs, sf_schema, and was.
limit The number of custom events to return. Integer Optional If you specify -1, the API returns 1000 results. The value of limit is an upper boundary on the number of results. The API might return fewer results depending on the other query parameters. If not specified, the default limit is 10000, which is the maximum number of events the API can return per query.
offset The index in the query result set at which the API starts sending results to you. Integer Optional For example, 0 is the first result in the set, and 10 is the 11th result.
org_id Specify the ID of the Infrastructure Monitoring organization to fetch data from. String Optional If not specified, the default organization ID is used.

Query parameters

Parameter Type Description
incidentID String The ID of the Splunk Infrastructure Monitoring incident that this event is part of. In the response this field becomes sf_incidentId.
is String Whether the event is a trigger event or a clear event. A trigger event is anomalous and a clear event is ok.
sf_eventCategory String Always ALERT because the events are triggered by Splunk Infrastructure Monitoring alerts.
sf_eventCreatedOnMs Integer The time an event was created in Splunk Infrastructure Monitoring in Unix time, specified in milliseconds. This time is always later than the timestamp due to lag.
sf_eventType String The detector ID concatenated with the rule name in Splunk Infrastructure Monitoring. Uniquely identifies the version of the detector that sent the notification.
sf_notificationString String The Alert Message for a detector in Splunk Infrastructure Monitoring.
sf_resolutionMs Integer The resolution of a computation is normally set by SignalFlow to match the incoming frequency of the data. You can ask for a minimum resolution, which forces the computation to operate at a coarser resolution than the one that SignalFlow assigns. Set the resolution in milliseconds.
sf_schema Integer The schema version for this event. The value is always 3.
was String The prior state of an event. Will either be anomalous or ok.

Usage examples

The following search gets incoming event data where the event category is ALERT. These events occur when a detector triggers or clears an alert.

| sim event query="sf_eventCategory:ALERT" limit = 10 offset = 1

The following search gets events that have been created by the rule named ITSI_Rule_1. The is field must be anomalous which means a detector created the event.

| sim event query="sf_eventType:*ITSI_Rule_1* AND is:anomalous"

The following search gets all events generated by the detector with the specified detector ID. The sf_eventType field is the detector ID concatenated with the rule name.

| sim event query="sf_eventType:*EVqZqZvA0AA__EUkDNBvA0AA*"

The following search fetches events created by a rule with a name containing Rule_1 from a specific Infrastructure Monitoring organization:

| sim event query="sf_eventType:*Rule_1* OR sf_resolutionMs:1000" org_id=EUdM8ESA4AA

The following search gets all events generated by the detector with the specified detector ID. The sf_eventType field is the detector ID concatenated with the rule name:

| sim event query="NOT sf_eventType:*EVqZqZvA0AA__EUkDNBvA0AA* AND was:ok"

The following search gets events where the condition in parentheses is not true:

| sim event query="NOT (sf_eventCategory:*ALERT* AND was:ok)"

event query response

The response to an event query request is a list of all the events with various fields matching the query and time range. All events have the following fields:

  • id
  • is
  • sf_eventCategory
  • sf_eventCreatedOnMs
  • sf_eventType
  • sf_incidentId
  • sf_notificationString
  • sf_resolutionMs
  • sf_schema
  • timestamp
  • tsId
  • was

In addition, any fields with the prefix signal_resource correspond to the resource related to the rule specified in Splunk Infrastructure Monitoring. For example:

  • signal_resource_sf_metric - The metric on which the rule is based, which is the basis for generating events.
  • signal_resource_value - The value of the metric which caused an event to be generated.

All fields with the prefix signal_threshold correspond to the thresholds set by users who created rules in Splunk Infrastructure Monitoring. For aggregate events, the resource value appears with the prefix signal_threshold.

Last modified on 27 June, 2024
flow query syntax   Cleanup obsolete libraries

This documentation applies to the following versions of Splunk® Infrastructure Monitoring Add-on: 1.2.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters