From 7b53160e3db78f51dee666ab2b88bc4d05f8f7ed Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Fri, 1 Oct 2021 16:29:19 -0400
Subject: [PATCH] feat(itoa): Support entities

Update savedsearches.conf

chore: updates

update

Update itsi_entity_type.conf

update

Update savedsearches.conf

Update savedsearches.conf

feat

updates

Update sc4s_source_activity.xml
---
 .../data/ui/views/sc4s_source_activity.xml    | 219 ++++++++++++++++++
 package/default/itsi_entity_type.conf         |  44 ++++
 package/default/savedsearches.conf            |  38 +++
 3 files changed, 301 insertions(+)
 create mode 100644 package/default/data/ui/views/sc4s_source_activity.xml
 create mode 100644 package/default/itsi_entity_type.conf
 create mode 100644 package/default/savedsearches.conf

diff --git a/package/default/data/ui/views/sc4s_source_activity.xml b/package/default/data/ui/views/sc4s_source_activity.xml
new file mode 100644
index 0000000..ef3f911
--- /dev/null
+++ b/package/default/data/ui/views/sc4s_source_activity.xml
@@ -0,0 +1,219 @@
+<dashboard>
+  <label>SC4S Source Activity</label>
+  <row>    
+    <panel>
+      <chart>
+        <title>spl.mlog.per_host_thruput.kb</title>
+        <search>
+          <query>| mstats avg("spl.mlog.per_host_thruput.kb") prestats=true WHERE "index"="_metrics" AND [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text
+    filter="{\"title\": \"$title$\"}"
+    fields="title,host" 
+| eval value=spath(value,"{}") 
+| mvexpand value 
+| eval host=spath(value, "host{}") 
+| fields + host | rename host as series
+| format ] span=10s
+| timechart avg("spl.mlog.per_host_thruput.kb") AS Avg span=10s
+| fields - _span*</query>
+          <earliest>-1h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="charting.axisY.abbreviation">auto</option>
+        <option name="charting.chart">line</option>
+        <option name="charting.chart.nullValueMode">connect</option>
+        <option name="charting.chart.showDataLabels">none</option>
+        <option name="charting.drilldown">none</option>
+        <option name="charting.fieldColors">{"Avg":"#1e93c6"}</option>
+        <option name="charting.fieldDashStyles">{"Avg":"solid"}</option>
+        <option name="charting.gridLinesX.showMajorLines">1</option>
+        <option name="charting.legend.mode">seriesCompare</option>
+        <option name="displayview">analytics_workspace</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+    <panel>
+        <chart>
+          <title>spl.mlog.per_host_thruput.kbps</title>
+          <search>
+            <query>| mstats avg("spl.mlog.per_host_thruput.kbps") prestats=true WHERE "index"="_metrics" AND [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text
+              filter="{\"title\": \"$title$\"}"
+              fields="title,host" 
+          | eval value=spath(value,"{}") 
+          | mvexpand value 
+          | eval host=spath(value, "host{}") 
+          | fields + host | rename host as series
+          | format ] span=10s
+  | timechart avg("spl.mlog.per_host_thruput.kbps") AS Avg span=10s
+  | fields - _span*</query>
+            <earliest>-1h</earliest>
+            <latest>now</latest>
+          </search>
+          <option name="charting.axisY.abbreviation">auto</option>
+          <option name="charting.chart">line</option>
+          <option name="charting.chart.nullValueMode">connect</option>
+          <option name="charting.chart.showDataLabels">none</option>
+          <option name="charting.drilldown">none</option>
+          <option name="charting.fieldColors">{"Avg":"#1e93c6"}</option>
+          <option name="charting.fieldDashStyles">{"Avg":"solid"}</option>
+          <option name="charting.gridLinesX.showMajorLines">1</option>
+          <option name="charting.legend.mode">seriesCompare</option>
+          <option name="displayview">analytics_workspace</option>
+          <option name="refresh.display">progressbar</option>
+        </chart>
+      </panel>    
+  </row> 
+  <row>
+    <panel>
+      <chart>
+        <title>spl.mlog.per_host_thruput.max_age</title>
+        <search>
+          <query>| mstats avg("spl.mlog.per_host_thruput.max_age") prestats=true WHERE "index"="_metrics" AND [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text
+            filter="{\"title\": \"$title$\"}"
+            fields="title,host" 
+        | eval value=spath(value,"{}") 
+        | mvexpand value 
+        | eval host=spath(value, "host{}") 
+        | fields + host | rename host as series
+        | format ] span=10s
+| timechart avg("spl.mlog.per_host_thruput.max_age") AS Avg span=10s
+| fields - _span*</query>
+            <earliest>-1h</earliest>
+            <latest>now</latest>
+        </search>
+        <option name="charting.drilldown">none</option>
+        <option name="charting.chart">line</option>
+        <option name="charting.chart.nullValueMode">connect</option>
+        <option name="charting.chart.showDataLabels">none</option>
+        <option name="charting.fieldColors">{"Avg":"#1e93c6"}</option>
+        <option name="charting.gridLinesX.showMajorLines">true</option>
+        <option name="charting.axisY.abbreviation">auto</option>
+        <option name="charting.legend.mode">seriesCompare</option>
+        <option name="charting.fieldDashStyles">{"Avg":"solid"}</option>
+        <option name="displayview">analytics_workspace</option>
+      </chart>
+    </panel>
+    <panel>
+      <chart>
+        <title>spl.mlog.per_host_thruput.avg_age</title>
+        <search>
+          <query>| mstats avg("spl.mlog.per_host_thruput.avg_age") prestats=true WHERE "index"="_metrics" AND [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text
+            filter="{\"title\": \"$title$\"}"
+            fields="title,host" 
+        | eval value=spath(value,"{}") 
+        | mvexpand value 
+        | eval host=spath(value, "host{}") 
+        | fields + host | rename host as series
+        | format ] span=10s
+| timechart avg("spl.mlog.per_host_thruput.avg_age") AS Avg span=10s
+| fields - _span*</query>
+            <earliest>-1h</earliest>
+            <latest>now</latest>
+        </search>
+        <option name="charting.drilldown">none</option>
+        <option name="charting.chart">line</option>
+        <option name="charting.chart.nullValueMode">connect</option>
+        <option name="charting.chart.showDataLabels">none</option>
+        <option name="charting.fieldColors">{"Avg":"#1e93c6"}</option>
+        <option name="charting.gridLinesX.showMajorLines">true</option>
+        <option name="charting.axisY.abbreviation">auto</option>
+        <option name="charting.legend.mode">seriesCompare</option>
+        <option name="charting.fieldDashStyles">{"Avg":"solid"}</option>
+        <option name="displayview">analytics_workspace</option>
+      </chart>
+    </panel>
+  </row>  
+  <row>
+    <panel>
+      <title>Event Rate by sourcetype</title>
+      <chart>
+        <search>
+          <query>| tstats count where index=* sc4s_vendor_product=* 
+    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text
+        filter="{\"title\": \"$title$\"}"
+        fields="title,host" 
+    | eval value=spath(value,"{}") 
+    | mvexpand value 
+    | eval host=spath(value, "host{}") 
+    | fields + host 
+    | format
+        ]
+    by sourcetype,_time 
+| timechart sum(count) as val by sourcetype</query>
+          <earliest>-60m</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+        <option name="refresh.display">preview</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <table>
+        <title>Data Summary</title>
+        <search>
+          <query>| tstats count where index=* sc4s_vendor_product=* 
+    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text
+        filter="{\"title\": \"$title$\"}"
+        fields="title,host" 
+    | eval value=spath(value,"{}") 
+    | mvexpand value 
+    | eval host=spath(value, "host{}") 
+    | fields + host 
+    | format
+        ]
+    by index,source,sourcetype | addcoltotals</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="drilldown">none</option>
+      </table>
+    </panel>
+    <panel>
+      <event>
+        <title>Malformed events</title>
+        <search>
+          <query>index=* sourcetype=sc4s:fallback sc4s_vendor_product=* 
+    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text
+        filter="{\"title\": \"$title$\"}"
+        fields="title,host" 
+    | eval value=spath(value,"{}") 
+    | mvexpand value 
+    | eval host=spath(value, "host{}") 
+    | fields + host 
+    | format
+        ]</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="list.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </event>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <table>
+        <title>Data Path</title>
+        <search>
+          <query>| tstats count where index=* sc4s_vendor_product=* 
+    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text
+        filter="{\"title\": \"$title$\"}"
+        fields="title,host" 
+    | eval value=spath(value,"{}") 
+    | mvexpand value 
+    | eval host=spath(value, "host{}") 
+    | fields + host 
+    | format
+        ]
+    by sc4s_container,sc4s_destport,sc4s_proto,sc4s_syslog_format</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </table>
+    </panel>
+  </row>
+</dashboard>
\ No newline at end of file
diff --git a/package/default/itsi_entity_type.conf b/package/default/itsi_entity_type.conf
new file mode 100644
index 0000000..ac908e4
--- /dev/null
+++ b/package/default/itsi_entity_type.conf
@@ -0,0 +1,44 @@
+##
+## SPDX-FileCopyrightText: 2020 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-1-2020
+##
+##
+
+[splunk:agent:sc4syslog]
+title = splunk:agent:sc4syslog
+description = Splunk Connect for Syslog Monitored source
+dashboard_drilldowns = [\
+    {\
+        "title": "SC4S Source Activity",\
+        "id": "sc4s_source_activity",\
+        "base_url": "",\
+        "dashboard_type": "xml_dashboard",\
+        "params": {\
+          "static_params": {},\
+          "alias_param_map": [\
+            {\
+              "alias": "itsi_entity",\
+              "param": "title"\
+            }\
+          ]\
+        }\
+    }\
+]
+data_drilldowns = []
+vital_metrics = []
+
+[splunk:vendor_product]
+title = splunk:vendor_product
+description = Common Vendor Product
+dashboard_drilldowns = []
+data_drilldowns = []
+vital_metrics = [ \
+    { \
+        "metric_name": "Syslog EPS", \
+        "search": "| tstats count where index=* by host _time span=1s | stats avg(count) as val by host _time", \
+        "split_by_fields": ["host"], \
+        "matching_entity_fields": ["host"], \
+        "is_key": 0, \
+        "unit": "events/s" \
+    }\
+    ]
diff --git a/package/default/savedsearches.conf b/package/default/savedsearches.conf
new file mode 100644
index 0000000..37aeaa5
--- /dev/null
+++ b/package/default/savedsearches.conf
@@ -0,0 +1,38 @@
+##
+## SPDX-FileCopyrightText: 2020 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-1-2020
+##
+##
+
+[ITSI Import Objects - splunk-add-on-for-sc4syslog-Hosts_Search]
+action.itsi_import_objects = 1
+action.itsi_import_objects.param.backfill_enabled = 0
+action.itsi_import_objects.param.entity_identifier_fields = dest,host,src,dvc
+action.itsi_import_objects.param.entity_informational_fields = splunk_vendor_product
+action.itsi_import_objects.param.entity_merge_field = itsi_entity
+action.itsi_import_objects.param.entity_title_field = itsi_entity
+action.itsi_import_objects.param.entity_type_field = itsi_entity_type
+action.itsi_import_objects.param.service_enabled = 1
+action.itsi_import_objects.param.service_team = default_itsi_security_group
+action.itsi_import_objects.param.service_templates_config = {}
+action.itsi_import_objects.param.update_type = upsert
+alert.track = 1
+cron_schedule = */15 * * * *
+dispatch.earliest_time = -15m@m
+display.general.type = statistics
+display.page.search.tab = statistics
+enableSched = 1
+request.ui_dispatch_view = search
+schedule_window = auto
+allow_skew = 100%
+search = | tstats values(sc4s_vendor_product) as "splunk_vendor_product" values(sourcetype) as sourcetype where index=* by host,sc4s_fromhostip\
+| regex host!="\d+\.\d+\.\d+\.\d+" \
+| lookup itsi_entities identifier.values as sc4s_fromhostip OUTPUT informational.fields informational.values\
+| eval agg=ifnull(mvindex('informational.values',mvfind('informational.fields',"syslog_aggregation"),mvfind('informational.fields',"syslog_aggregation")),"false")\
+| eval src=if(agg=="true",lower(host),mvappend(host,sc4s_fromhostip) ) \
+| eval dest=if(agg=="true",lower(host),mvappend(host,sc4s_fromhostip) ) \
+| eval dvc=if(agg=="true",lower(host),mvappend(host,sc4s_fromhostip) ) \
+| eval itsi_entity=lower(host) \
+| eval itsi_entity_type="splunk:agent:sc4syslog" \
+| fields - entity_type_ids et_by_ip sc4s_fromhostip agg informational.fields informational.values
+disabled = 0
\ No newline at end of file