Macros¶
bh_stats_gen_constraints¶
The bh_stats_gen_constraints
macro is used to control what data is examined by the
bh_stats_gen
search when generating the metrics used by the alerting searches. The default
behavior is to exclude all data in the summary index, and all data from the stash sourcetype, but
include all other data.
NOTE: This macro is used within a tstats
command, and therefore the macro’s must be valid
tstats
syntax.
bh_stats_gen_additions¶
The bh_stats_gen_additions
macro is used to insert arbitrary SPL into the bh_stats_gen
search in order to transform data before it is written to the summary index.
Example: use eventstats
and eval
statements to calculate custom metrics to be stored in
the summary data.
bh_alert_additions¶
The bh_alert_additions
macro is used to insert arbitrary SPL into the alerting searches, in
order to transform data before it is written to the summary index.
Example: Apply subsearch logic from a monitoring system to automatically exclude hosts that are known to be offline
default_contact¶
The default_contact
macro is used only for the Broken Hosts Alert - by contact
search. It
is used to set the default email address for items that don’t have a separate contact listed in
the contact
column of the lookup table.
default_expected_time¶
The default_expected_time
macro is used to set a default lateSecs
value for things not
defined in the lookup. The lateSecs
value tells Broken Hosts how long a specific source of data
is allowed to go without sending data before an alert should be triggered. This setting is in
seconds, and defaults to 14400 (4 hours).