fixing savedsearches.conf

HurricaneLabs · Jul 5, 2023 · 6300d82 · 6300d82
1 parent 44597d1
commit 6300d82
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 2 deletions.
diff --git a/app.manifest b/app.manifest
@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "broken_hosts",
-      "version": "4.2.0"
+      "version": "4.2.1"
     },
     "author": [
       {

diff --git a/default/app.conf b/default/app.conf
@@ -18,4 +18,4 @@ reload.bh = simple
 [launcher]
 author = Hurricane Labs
 description = Broken Hosts App for Splunk collects data that can be used to generate alerts when hosts stop sending data
-version = 4.2.0
+version = 4.2.1
diff --git a/default/savedsearches.conf b/default/savedsearches.conf
@@ -1,4 +1,15 @@
 [Broken Hosts - Auto Sort]
+alert.track = 0
+cron_schedule = 8-59/10 * * * *
+description = Automatically Sort the expectedTime suppression table in a way that prevents false positives on suppressed items.
+disabled = 0
+dispatch.earliest_time = 0
+dispatch.ttl = 300
+display.general.timeRangePicker.show = 0
+enableSched = 1
+request.ui_dispatch_app = broken_hosts
+request.ui_dispatch_view = search
+schedule_window = 5
 action.webhook.enable_allowlist = 0
 search = | inputlookup expectedTime\
 | rex mode=sed field=index "s/\*/~/g" | rex mode=sed field=sourcetype "s/\*/~/g" | rex mode=sed field=host "s/\*/~/g"\
@@ -40,6 +51,21 @@ index!="~" AND sourcetype=="~" AND host=="~" AND lateSecs!=0 AND suppressUntil==
 | outputlookup expectedTime
 
 [Broken Hosts Alert Search]
+alert.suppress = 1
+alert.suppress.period = 24h
+alert.track = 0
+counttype = number of events
+cron_schedule = */30 * * * *
+description = Sample Broken Hosts Alert - uses summary data
+disabled = 1
+dispatch.earliest_time = -30d@d
+display.general.type = statistics
+display.page.search.tab = statistics
+enableSched = 1
+quantity = 0
+relation = greater than
+request.ui_dispatch_app = broken_hosts
+request.ui_dispatch_view = search
 action.webhook.enable_allowlist = 0
 alert.track = 1
 search = index=summary source="bh_stats_gen" | `bh_alert_additions` | typer | rex field=eventtype "bh_aggregate-(?<aggregate_fields>.*)" | eval aggregate_fields=if(isnull(aggregate_fields),orig_index.",".orig_sourcetype.",".orig_host,aggregate_fields)\
@@ -64,6 +90,29 @@ search = index=summary source="bh_stats_gen" | `bh_alert_additions` | typer | re
 | rename last AS "Time Of Last Data" howLate AS "Time Since Last Data"
 
 [Broken Hosts Alert - by contact]
+action.email = 1
+action.email.format = csv
+action.email.include.results_link = 0
+action.email.message.alert = The alert condition for '$name$' was triggered.\
+\
+$result.Message$
+alert.digest_mode = 0
+alert.suppress = 1
+alert.suppress.fields = contact,suppressfield
+alert.suppress.period = 2h
+alert.track = 0
+counttype = number of events
+cron_schedule = */30 * * * *
+description = Sample Broken Hosts Alert - designed to allow you to send different data to different contacts
+disabled = 1
+dispatch.earliest_time = -30d@d
+display.general.type = statistics
+display.page.search.tab = statistics
+enableSched = 1
+quantity = 0
+relation = greater than
+request.ui_dispatch_app = broken_hosts
+request.ui_dispatch_view = search
 action.email.to = $result.contact$
 action.webhook.enable_allowlist = 0
 search = index=summary source="bh_stats_gen" | `bh_alert_additions` | typer | rex field=eventtype "bh_aggregate-(?<aggregate_fields>.*)" | eval aggregate_fields=if(isnull(aggregate_fields),orig_index.",".orig_sourcetype.",".orig_host,aggregate_fields)\