From c981c4bae5749b333b3f3a7066f84b3ee9552dd3 Mon Sep 17 00:00:00 2001 From: ljstella Date: Thu, 18 Jul 2024 12:53:50 -0500 Subject: [PATCH 1/3] Removing usage_searches.conf --- .../app_template/default/usage_searches.conf | 73 ------------------- 1 file changed, 73 deletions(-) delete mode 100644 contentctl/templates/app_template/default/usage_searches.conf diff --git a/contentctl/templates/app_template/default/usage_searches.conf b/contentctl/templates/app_template/default/usage_searches.conf deleted file mode 100644 index 0c8aa32c..00000000 --- a/contentctl/templates/app_template/default/usage_searches.conf +++ /dev/null @@ -1,73 +0,0 @@ -[escu-metrics-usage] -action.email.useNSSubject = 1 -alert.digest_mode = True -alert.suppress = 0 -alert.track = 0 -auto_summarize.dispatch.earliest_time = -1d@h -dispatchAs = user -search = index=_audit sourcetype="audittrail" \ -"ESCU - "\ -`comment("Find all the search names in the audittrail.")`\ -| stats count(search) by search savedsearch_name user\ -| eval usage=(if(savedsearch_name=="","Adhoc","Scheduled")) \ -`comment("If the savedsearch_name field in the audittrail is empty, the search was run adhoc. Otherwise it was run as a scheduled search")`\ -| rex field=search "\"(?.*)\""\ -`comment("Extract the name of the search from the search string")`\ -| table savedsearch_name count(search) usage user | join savedsearch_name max=0 type=left [search sourcetype="manifests" | spath searches{} | mvexpand searches{} | spath input=searches{} | table category search_name | rename search_name as savedsearch_name | dedup savedsearch_name] | search category=* - -[escu-metrics-search] -action.email.useNSSubject = 1 -alert.suppress = 0 -alert.track = 0 -auto_summarize.dispatch.earliest_time = -1d@h -enableSched = 1 -cron_schedule = 0 0 * * * -dispatch.earliest_time = -4h@h -dispatch.latest_time = -1h@h -search = index=_audit action=search | transaction search_id maxspan=3m | search ESCU | stats sum(total_run_time) avg(total_run_time) max(total_run_time) sum(result_count) - -[escu-metrics-search-events] -action.email.useNSSubject = 1 -alert.digest_mode = True -alert.suppress = 0 -alert.track = 0 -auto_summarize.dispatch.earliest_time = -1d@h -cron_schedule = 0 0 * * * -enableSched = 1 -dispatch.earliest_time = -4h@h -dispatch.latest_time = -1h@h -search = [search index=_audit sourcetype="audittrail" \"ESCU NOT "index=_audit" | where search !="" | dedup search_id | rex field=search "\"(?.*)\"" | rex field=_raw "user=(?[a-zA-Z0-9_\-]+)" | eval usage=if(savedsearch_name!="", "scheduled", "adhoc") | eval savedsearch_name=if(savedsearch_name != "", savedsearch_name, search_name) | table savedsearch_name search_id user _time usage | outputlookup escu_search_id.csv | table search_id] index=_audit total_run_time event_count result_count NOT "index=_audit" | lookup escu_search_id.csv search_id | stats count(savedsearch_name) AS search_count avg(total_run_time) AS search_avg_run_time sum(total_run_time) AS search_total_run_time sum(result_count) AS search_total_results earliest(_time) AS firsts latest(_time) AS lasts by savedsearch_name user usage| eval first_run=strftime(firsts, "%B %d %Y") | eval last_run=strftime(lasts, "%B %d %Y") - -[escu-metrics-search-longest-runtime] -action.email.useNSSubject = 1 -alert.digest_mode = True -alert.suppress = 0 -alert.track = 0 -auto_summarize.dispatch.earliest_time = -1d@h -enableSched = 1 -cron_schedule = 0 0 * * * -disabled = 1 -dispatch.earliest_time = -4h@h -dispatch.latest_time = -1h@h -search = index=_* ESCU [search index=_* action=search latest=-2h earliest=-1d| transaction search_id maxspan=3m | search ESCU | stats values(total_run_time) AS run by search_id | sort -run | head 1| table search_id] | table search search_id - -[escu-metrics-usage-search] -action.email.useNSSubject = 1 -alert.digest_mode = True -alert.suppress = 0 -alert.track = 0 -auto_summarize.dispatch.earliest_time = -1d@h -cron_schedule = 0 0 * * * -dispatch.earliest_time = -4h@h -dispatch.latest_time = -1h@h -enableSched = 1 -dispatchAs = user -search = index=_audit sourcetype="audittrail" \ -"ESCU - "\ -`comment("Find all the search names in the audittrail. Ignore the last few minutes so we can exclude this search's text from the result.")`\ -| stats count(search) by search savedsearch_name user\ -| eval usage=(if(savedsearch_name=="","Adhoc","Scheduled")) \ -`comment("If the savedsearch_name field in the audittrail is empty, the search was run adhoc. Otherwise it was run as a scheduled search")`\ -| rex field=search "\"(?.*)\""\ -`comment("Extract the name of the search from the search string")`\ -| table savedsearch_name count(search) usage user | join savedsearch_name max=0 type=left [search sourcetype="manifests" | spath searches{} | mvexpand searches{} | spath input=searches{} | table category search_name | rename search_name as savedsearch_name | dedup savedsearch_name] | search category=* From 40af28c590347d76f7023e74962868f75b14ae43 Mon Sep 17 00:00:00 2001 From: ljstella Date: Thu, 18 Jul 2024 13:31:14 -0500 Subject: [PATCH 2/3] Missed app.conf --- contentctl/templates/app_template/default/app.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/contentctl/templates/app_template/default/app.conf b/contentctl/templates/app_template/default/app.conf index 2e303162..c6991ff5 100644 --- a/contentctl/templates/app_template/default/app.conf +++ b/contentctl/templates/app_template/default/app.conf @@ -8,7 +8,6 @@ build = 16367 [triggers] reload.analytic_stories = simple -reload.usage_searches = simple reload.use_case_library = simple reload.correlationsearches = simple reload.analyticstories = simple From 2e2524c89a850aebd4d41f2b784d4cd8592bdd50 Mon Sep 17 00:00:00 2001 From: ljstella Date: Thu, 18 Jul 2024 13:42:19 -0500 Subject: [PATCH 3/3] Version bump for patch --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 817a3c0c..6b5dec71 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "contentctl" -version = "4.1.3" +version = "4.1.4" description = "Splunk Content Control Tool" authors = ["STRT "] license = "Apache 2.0"