Merge pull request #33 from guilhemmarchand/version_1019_fix

Version 1019 fix

.circleci/config.yml

@@ -41,7 +41,7 @@ jobs:
       - run:
           name: grab appinspect
           command: |
-            curl -Ls http://dev.splunk.com/goto/appinspectdownload -o appinspect-lastest.tar.gz
+            curl -Ls https://download.splunk.com/misc/appinspect/splunk-appinspect-2.0.0.tar.gz -o appinspect-lastest.tar.gz
             mkdir appinspect-latest
             tar -zxvf appinspect-lastest.tar.gz -C appinspect-latest --strip-components=1
       - run:

docs/releasenotes.rst

@@ -1,6 +1,11 @@
 Release notes
 #############
 
+Version 1.0.19
+==============
+
+- Fix: Issue #32, if the data is offline for a long period that is out of the scope of the long term trackers, the last lag seen in seconds is not properly updated at each run time of the trackers.
+
 Version 1.0.18
 ==============
 

trackme/default/app.conf

@@ -16,4 +16,4 @@ label = TrackMe - Easy data tracking system for Splunk admins
 [launcher]
 author = Guilhem Marchand
 description = Easy data tracking system for Splunk admins
-version = 1.0.18
+version = 1.0.19

trackme/default/savedsearches.conf

@@ -11,9 +11,9 @@ enableSched = 1
 request.ui_dispatch_app = trackme
 request.ui_dispatch_view = trackme
 search  = | tstats max(_indextime) as current_data_last_ingest, max(_time) as current_data_last_time_seen where index=* sourcetype=* `trackme_tstats_main_filter` `apply_data_source_blacklists_data_retrieve` by index, sourcetype\
-| eval current_data_last_lag_seen=now()-current_data_last_time_seen\
+| eval current_data_last_lag_seen=now()-current_data_last_time_seen, data_source_is_online="true"\
 | rename index as data_index, sourcetype as data_sourcetype\
-| append [ |inputlookup trackme_data_source_monitoring | eval key=_key]\
+| append [ | inputlookup trackme_data_source_monitoring | eval key=_key]\
 | stats first(key) as _key, first(*) as "*" by data_index, data_sourcetype\
 | eval data_last_lag_seen=if(isnotnull(current_data_last_lag_seen), current_data_last_lag_seen, data_last_lag_seen)\
 | eval data_last_time_seen=if(isnotnull(current_data_last_time_seen), current_data_last_time_seen, data_last_time_seen)\
@@ -35,6 +35,7 @@ search  = | tstats max(_indextime) as current_data_last_ingest, max(_time) as cu
 | lookup local=t trackme_data_source_monitoring data_name OUTPUT data_source_state as data_previous_source_state, data_tracker_runtime as data_previous_tracker_runtime\
 | append [ | inputlookup trackme_audit_flip | where object_category="data_source" | eval _time=time | stats max(_time) as latest_flip_time, latest(object_state) as latest_flip_state by object | rename object as data_name ]\
 | stats first(_key) as _key, first(*) as "*" by data_name\
+| eval data_last_lag_seen=if(data_source_is_online="true", data_last_lag_seen, now()-data_last_time_seen)\
 | outputlookup trackme_data_source_monitoring append=t key_field=_key\
 | lookup local=t trackme_data_source_monitoring data_name OUTPUT data_name as FOUND | where isnull(FOUND) | fields - FOUND\
 | outputlookup trackme_data_source_monitoring append=t\
@@ -49,9 +50,9 @@ enableSched = 1
 request.ui_dispatch_app = trackme
 request.ui_dispatch_view = trackme
 search  = | tstats max(_indextime) as current_data_last_ingest, max(_time) as current_data_last_time_seen where index=* sourcetype=* `trackme_tstats_main_filter` `apply_data_source_blacklists_data_retrieve` by index, sourcetype\
-| eval current_data_last_lag_seen=now()-current_data_last_time_seen\
+| eval current_data_last_lag_seen=now()-current_data_last_time_seen, data_source_is_online="true"\
 | rename index as data_index, sourcetype as data_sourcetype\
-| append [ |inputlookup trackme_data_source_monitoring | eval key=_key]\
+| append [ | inputlookup trackme_data_source_monitoring | eval key=_key]\
 | stats first(key) as _key, first(*) as "*" by data_index, data_sourcetype\
 | eval data_last_lag_seen=if(isnotnull(current_data_last_lag_seen), current_data_last_lag_seen, data_last_lag_seen)\
 | eval data_last_time_seen=if(isnotnull(current_data_last_time_seen), current_data_last_time_seen, data_last_time_seen)\
@@ -73,6 +74,7 @@ search  = | tstats max(_indextime) as current_data_last_ingest, max(_time) as cu
 | lookup local=t trackme_data_source_monitoring data_name OUTPUT data_source_state as data_previous_source_state, data_tracker_runtime as data_previous_tracker_runtime\
 | append [ | inputlookup trackme_audit_flip | where object_category="data_source" | eval _time=time | stats max(_time) as latest_flip_time, latest(object_state) as latest_flip_state by object | rename object as data_name ]\
 | stats first(_key) as _key, first(*) as "*" by data_name\
+| eval data_last_lag_seen=if(data_source_is_online="true", data_last_lag_seen, now()-data_last_time_seen)\
 | outputlookup trackme_data_source_monitoring append=t key_field=_key\
 | lookup local=t trackme_data_source_monitoring data_name OUTPUT data_name as FOUND | where isnull(FOUND) | fields - FOUND\
 | outputlookup trackme_data_source_monitoring append=t\
@@ -144,7 +146,7 @@ search  = | tstats max(_indextime) as current_data_last_ingest, max(_time) as cu
 | lookup trackme_custom_lagging_definition name as index OUTPUTNEW value as data_custom_max_lag_allowed\
 | lookup trackme_custom_lagging_definition name as sourcetype OUTPUTNEW value as data_custom_max_lag_allowed\
 | stats max(current_data_last_ingest) as current_data_last_ingest, max(current_data_last_time_seen) as current_data_last_time_seen, values(index) as index, values(sourcetype) as sourcetype, max(data_custom_max_lag_allowed) as data_custom_max_lag_allowed by host\
-| eval current_data_last_lag_seen=now()-current_data_last_time_seen\
+| eval current_data_last_lag_seen=now()-current_data_last_time_seen, data_host_is_online="true"\
 | rename host as data_host, index as data_index, sourcetype as data_sourcetype\
 | eval data_host=upper(data_host)\
 | search NOT [ | inputlookup trackme_audit_changes | where action="success" AND change_type="delete permanent" | eval _time=time/1000 | where _time>relative_time(now(), "-7d") | table object | dedup object | sort limit=0 object | rename object as data_host ]\
@@ -166,6 +168,7 @@ search  = | tstats max(_indextime) as current_data_last_ingest, max(_time) as cu
 | lookup local=t trackme_host_monitoring data_host OUTPUT data_host_state as data_previous_host_state, data_tracker_runtime as data_previous_tracker_runtime\
 | append [ | inputlookup trackme_audit_flip | where object_category="data_host" | eval _time=time | stats max(_time) as latest_flip_time, latest(object_state) as latest_flip_state by object | rename object as data_host ]\
 | stats first(_key) as _key, first(*) as "*" by data_host\
+| eval data_last_lag_seen=if(data_host_is_online="true", data_last_lag_seen, now()-data_last_time_seen)\
 | outputlookup trackme_host_monitoring append=t key_field=_key\
 | lookup local=t trackme_host_monitoring data_host OUTPUT data_host as FOUND | where isnull(FOUND) | fields - FOUND\
 | outputlookup trackme_host_monitoring append=t\
@@ -183,7 +186,7 @@ search  = | tstats max(_indextime) as current_data_last_ingest, max(_time) as cu
 | lookup trackme_custom_lagging_definition name as index OUTPUTNEW value as data_custom_max_lag_allowed\
 | lookup trackme_custom_lagging_definition name as sourcetype OUTPUTNEW value as data_custom_max_lag_allowed\
 | stats max(current_data_last_ingest) as current_data_last_ingest, max(current_data_last_time_seen) as current_data_last_time_seen, values(index) as index, values(sourcetype) as sourcetype, max(data_custom_max_lag_allowed) as data_custom_max_lag_allowed by host\
-| eval current_data_last_lag_seen=now()-current_data_last_time_seen\
+| eval current_data_last_lag_seen=now()-current_data_last_time_seen, data_host_is_online="true"\
 | rename host as data_host, index as data_index, sourcetype as data_sourcetype\
 | eval data_host=upper(data_host)\
 | search NOT [ | inputlookup trackme_audit_changes | where action="success" AND change_type="delete permanent" | eval _time=time/1000 | where _time>relative_time(now(), "-7d") | table object | dedup object | sort limit=0 object | rename object as data_host ]\
@@ -205,6 +208,7 @@ search  = | tstats max(_indextime) as current_data_last_ingest, max(_time) as cu
 | lookup local=t trackme_host_monitoring data_host OUTPUT data_host_state as data_previous_host_state, data_tracker_runtime as data_previous_tracker_runtime\
 | append [ | inputlookup trackme_audit_flip | where object_category="data_host" | eval _time=time | stats max(_time) as latest_flip_time, latest(object_state) as latest_flip_state by object | rename object as data_host ]\
 | stats first(_key) as _key, first(*) as "*" by data_host\
+| eval data_last_lag_seen=if(data_host_is_online="true", data_last_lag_seen, now()-data_last_time_seen)\
 | outputlookup trackme_host_monitoring append=t key_field=_key\
 | lookup local=t trackme_host_monitoring data_host OUTPUT data_host as FOUND | where isnull(FOUND) | fields - FOUND\
 | outputlookup trackme_host_monitoring append=t\