Final beta

trackme/default/macros.conf

@@ -1484,7 +1484,7 @@ definition = eval custom_current_detected_format = [ | `trackme_data_sampling_cu
 `comment("##### Detect multi-format #####")`\
 | eventstats dc(current_detected_format_id) as current_detected_format_dcount by data_name\
 \
-`comment("##### Merge per entitiy #####")`\
+`comment("##### Merge per entity #####")`\
 | stats values(raw_sample) as raw_sample, last(raw_sample) as raw_latest, values(current_detected_format) as current_detected_format, values(current_detected_format_id) as current_detected_format_id, first(*) as "*" by data_name\
 \
 `comment("##### Define data_sample_mtime #####")`\
@@ -1575,6 +1575,6 @@ definition = search index=_internal sourcetype=scheduler earliest=-4h latest=now
 | eval max_accepted_run_time_sec=`trackme_data_sampling_max_allowed_runtime_sec`\
 | eval max_entities_to_process=round(max_accepted_run_time_sec/potential_rate_sec, 0)\
 | table max_entities_to_process\
-| append [ | makeresults | eval max_entities_to_process=10 | fields - _time ]\
+| append [ | makeresults | eval max_entities_to_process=`trackme_data_sampling_default_sample_record_at_run` | fields - _time ]\
 | head 1 | return $max_entities_to_process
 iseval = 0

trackme/default/savedsearches.conf

@@ -80,7 +80,7 @@ search = | savedsearch runSPL [\
 | where data_sample_anomaly_ack_status!="uncleared"\
 \
 `comment("##### Finally generate the search to be used, the number of events sample to retrieve depends if this is the iteration for this entity #####")`\
-| eval events_sample_range=if(data_sample_iteration=0, 100, 10)\
+| eval events_sample_range=if(data_sample_iteration=0, `trackme_data_sampling_default_sample_record_at_discovery`, `trackme_data_sampling_default_sample_record_at_run`)\
 | eval spl=search_constraint . " | head " . events_sample_range . " | eval key = \"" . key . "\" | eval data_name = \"" . data_name . "\" | stats values(_raw) as raw_sample by key, data_name | mvexpand raw_sample"\
 | fields spl\
 \