Skip to content

Instantly share code, notes, and snippets.

@sgman

sgman/Datamodel Secret

Created April 21, 2015 20:55
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sgman/8a21f7a245c04c040bac to your computer and use it in GitHub Desktop.
Save sgman/8a21f7a245c04c040bac to your computer and use it in GitHub Desktop.
Download ZIP
Alert_Datamodel
Raw
Datamodel
9480beeb-966b-4770-9a8a-54f2a0e0183c
{"job_id": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642200_92", "updated": "2015-04-21T11:50:08-07:00", "severity": 4, "result_id": 0, "incident_id": "9480beeb-966b-4770-9a8a-54f2a0e0183c", "ttl": 86400, "impact": "medium", "origin": "https://127.0.0.1:8089/services/search/jobs", "priority": "low", "paging": {"total": 1, "offset": 0, "perPage": 0}, "entry": [{"published": "2015-04-21T11:50:02.000-07:00", "content": {"isRealTimeSearch": false, "messages": [], "ttl": 120, "numPreviews": 0, "searchCanBeEventType": false, "latestTime": "2015-04-21T11:50:00.000-07:00", "eventSearch": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") ", "label": "Test Alert", "eventFieldCount": 0, "bundleVersion": "169942505631719635", "reportSearch": "stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "performance": {"dispatch.stream.local": {"invocations": 1, "duration_secs": 0.013}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"invocations": 1, "input_count": 0, "duration_secs": 0.001, "output_count": 4437}, "command.search.index.usec_64_512": {"invocations": 17}, "command.search.fieldalias": {"invocations": 44, "input_count": 9643, "duration_secs": 0.227, "output_count": 9643}, "dispatch.stream.remote": {"invocations": 52, "input_count": 0, "duration_secs": 3.611, "output_count": 282732}, "dispatch.check_disk_usage": {"invocations": 1, "duration_secs": 0.001}, "startup.configuration": {"invocations": 9, "duration_secs": 0.479}, "command.search.lookups": {"invocations": 44, "input_count": 9643, "duration_secs": 0.042, "output_count": 9643}, "command.search.index.usec_8_64": {"invocations": 140}, "command.search.index.usec_4096_32768": {"invocations": 2}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"invocations": 10, "input_count": 0, "duration_secs": 0.683, "output_count": 55158}, "startup.handoff": {"invocations": 9, "duration_secs": 31.083}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"invocations": 9, "input_count": 0, "duration_secs": 0.817, "output_count": 49361}, "command.search.tags": {"invocations": 44, "input_count": 587, "duration_secs": 0.044, "output_count": 587}, "command.search.filter": {"invocations": 45, "duration_secs": 0.173}, "command.stats.execute_input": {"invocations": 54, "duration_secs": 0.035}, "dispatch.parserThread": {"invocations": 52, "duration_secs": 0.061}, "command.search.summary": {"invocations": 53, "duration_secs": 0.031}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"invocations": 10, "input_count": 0, "duration_secs": 0.818, "output_count": 54133}, "dispatch.stream.remote.XXXXXips5.XXXXX": {"invocations": 9, "input_count": 0, "duration_secs": 0.429, "output_count": 49097}, "command.search": {"invocations": 54, "input_count": 104, "duration_secs": 3.604, "output_count": 591}, "dispatch.fetch": {"invocations": 54, "duration_secs": 1.897}, "dispatch.evaluate.eval": {"invocations": 1, "duration_secs": 0.001}, "command.search.calcfields": {"invocations": 44, "input_count": 9643, "duration_secs": 0.04, "output_count": 9643}, "dispatch.writeStatus": {"invocations": 7, "duration_secs": 0.028}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"invocations": 1, "input_count": 0, "duration_secs": 0.001, "output_count": 4432}, "command.addinfo": {"invocations": 53, "input_count": 587, "duration_secs": 0.053, "output_count": 587}, "command.search.typer": {"invocations": 44, "input_count": 587, "duration_secs": 0.039, "output_count": 587}, "command.eval": {"invocations": 53, "input_count": 587, "duration_secs": 0.053, "output_count": 587}, "command.search.kv": {"invocations": 44, "duration_secs": 1.553}, "command.stats.execute_output": {"invocations": 1, "duration_secs": 0.001}, "dispatch.stream.remote.XXXXXips4.XXXXX": {"invocations": 11, "input_count": 0, "duration_secs": 0.86, "output_count": 61681}, "dispatch.createdSearchResultInfrastructure": {"invocations": 1, "duration_secs": 1.14}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"invocations": 1, "input_count": 0, "duration_secs": 0.001, "output_count": 4433}, "dispatch.localSearch": {"invocations": 1, "duration_secs": 0.014}, "command.fields": {"invocations": 53, "input_count": 587, "duration_secs": 0.043, "output_count": 587}, "command.search.index.usec_1_8": {"invocations": 51669}, "command.search.rawdata": {"invocations": 44, "duration_secs": 1.482}, "dispatch.evaluate": {"invocations": 1, "duration_secs": 0.652}, "dispatch.evaluate.stats": {"invocations": 1, "duration_secs": 0.001}, "dispatch.evaluate.search": {"invocations": 2, "duration_secs": 0.645}, "command.prestats": {"invocations": 53, "input_count": 587, "duration_secs": 0.066, "output_count": 115}}, "isTimeCursored": true, "doneProgress": 1, "dropCount": 0, "remoteSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "eventIsTruncated": true, "resultCount": 4, "defaultSaveTTL": "604800", "eventSorting": "none", "eventIsStreaming": true, "isDone": true, "resultIsStreaming": false, "priority": 5, "searchEarliestTime": 1429641600, "cursorTime": "1969-12-31T16:00:00.000-08:00", "isSaved": false, "statusBuckets": 0, "dispatchState": "DONE", "keywords": "eventcode::4625 eventcode::529 eventcode::530 eventcode::531 eventcode::532 eventcode::533 eventcode::534 eventcode::535 eventcode::536 eventcode::537 eventcode::539 index::*to* message::*fail*", "isGoodSummarizationCandidate": true, "isPaused": false, "searchProviders": ["XXXXXesps1.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX", "XXXXXips4.XXXXX", "XXXXXips5.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX"], "eventCount": 587, "eventAvailableCount": 0, "earliestTime": "2015-04-21T11:40:00.000-07:00", "diskUsage": 167936, "resultPreviewCount": 4, "runDuration": 5.251, "isSavedSearch": true, "fieldMetadataResults": {"Account_Name": {"type": "str", "groupby_rank": "1"}, "Logon_Type": {"type": "unknown", "groupby_rank": "3"}, "host": {"type": "unknown", "groupby_rank": "0"}, "Source_Network_Address": {"type": "unknown", "groupby_rank": "2"}}, "canSummarize": true, "request": {"max_count": "500000", "rt_backfill": "0", "reduce_freq": "10", "ui_dispatch_view": "search", "time_format": "%FT%T.%Q%:z", "index_earliest": "", "latest_time": "now", "spawn_process": "1", "auto_pause": "0", "max_time": "0", "lookups": "1", "ui_dispatch_app": "search", "buckets": "0", "index_latest": "", "indexedRealtime": "", "earliest_time": "-10m", "auto_cancel": "0"}, "isFinalized": false, "fieldMetadataEvents": {"Account_Name": {"type": "str"}}, "fieldMetadataStatic": {"Account_Name": {"type": "unknown", "groupby_rank": "1"}, "Logon_Type": {"type": "unknown", "groupby_rank": "3"}, "host": {"type": "unknown", "groupby_rank": "0"}, "Source_Network_Address": {"type": "unknown", "groupby_rank": "2"}}, "sid": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642200_92", "pid": "1980", "normalizedSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "isBatchModeSearch": true, "reduceSearch": "sistats count by host Account_Name Source_Network_Address Logon_Type", "delegate": "scheduler", "defaultTTL": "600", "isPreviewEnabled": false, "isRemoteTimeline": false, "scanCount": 9643, "searchLatestTime": 1429642200, "isZombie": false, "isFailed": false}, "links": {"results_preview": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642200_92/results_preview", "results": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642200_92/results", "alternate": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642200_92", "timeline": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642200_92/timeline", "events": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642200_92/events", "search.log": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642200_92/search.log", "control": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642200_92/control", "summary": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642200_92/summary"}, "name": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") | stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "acl": {"app": "search", "ttl": "120", "perms": {"read": ["*", "XXmeXX"], "write": ["admin", "alert_manager", "power", "splunk-system-role", "XXmeXX", "to-inf"]}, "can_write": true, "modifiable": true, "owner": "XXmeXX", "sharing": "global"}, "id": "https://127.0.0.1:8089/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642200_92", "updated": "2015-04-21T11:50:08.000-07:00", "author": "XXmeXX"}], "urgency": "low", "links": {}, "generator": {"version": "6.2.1", "build": "245427"}}
1389a4de-ac87-4c7a-b0e8-26fc81ca8a66
{"incident_id": "1389a4de-ac87-4c7a-b0e8-26fc81ca8a66", "result_id": 0, "severity": 4, "updated": "2015-04-21T11:49:05-07:00", "job_id": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642140_85", "impact": "medium", "ttl": 86400, "entry": [{"updated": "2015-04-21T11:49:05.000-07:00", "links": {"alternate": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642140_85", "results": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642140_85/results", "events": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642140_85/events", "control": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642140_85/control", "summary": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642140_85/summary", "search.log": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642140_85/search.log", "timeline": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642140_85/timeline", "results_preview": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642140_85/results_preview"}, "content": {"fieldMetadataEvents": {"Account_Name": {"type": "str"}}, "dropCount": 0, "request": {"spawn_process": "1", "reduce_freq": "10", "ui_dispatch_view": "search", "max_count": "500000", "latest_time": "now", "time_format": "%FT%T.%Q%:z", "rt_backfill": "0", "lookups": "1", "max_time": "0", "buckets": "0", "ui_dispatch_app": "search", "auto_cancel": "0", "earliest_time": "-10m", "indexedRealtime": "", "auto_pause": "0", "index_latest": "", "index_earliest": ""}, "doneProgress": 1, "statusBuckets": 0, "pid": "1849", "eventSorting": "none", "resultCount": 4, "fieldMetadataStatic": {"Source_Network_Address": {"groupby_rank": "2", "type": "unknown"}, "Logon_Type": {"groupby_rank": "3", "type": "unknown"}, "Account_Name": {"groupby_rank": "1", "type": "unknown"}, "host": {"groupby_rank": "0", "type": "unknown"}}, "isPreviewEnabled": false, "scanCount": 10051, "delegate": "scheduler", "isDone": true, "sid": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642140_85", "cursorTime": "1969-12-31T16:00:00.000-08:00", "isGoodSummarizationCandidate": true, "messages": [], "reduceSearch": "sistats count by host Account_Name Source_Network_Address Logon_Type", "isSaved": false, "searchProviders": ["XXXXXesps1.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX", "XXXXXips4.XXXXX", "XXXXXips5.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX"], "dispatchState": "DONE", "numPreviews": 0, "searchCanBeEventType": false, "isPaused": false, "searchEarliestTime": 1429641540, "eventFieldCount": 0, "eventCount": 616, "label": "Test Alert", "performance": {"command.search.kv": {"duration_secs": 1.566, "invocations": 45}, "command.search.typer": {"output_count": 616, "duration_secs": 0.037, "input_count": 616, "invocations": 45}, "command.addinfo": {"output_count": 616, "duration_secs": 0.054, "input_count": 616, "invocations": 54}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"output_count": 4437, "duration_secs": 0.001, "input_count": 0, "invocations": 1}, "dispatch.stream.remote.XXXXXips4.XXXXX": {"output_count": 61978, "duration_secs": 0.789, "input_count": 0, "invocations": 11}, "command.search.index.usec_8_64": {"invocations": 199}, "command.stats.execute_output": {"duration_secs": 0.001, "invocations": 1}, "command.search.calcfields": {"output_count": 10051, "duration_secs": 0.039, "input_count": 10051, "invocations": 45}, "command.eval": {"output_count": 616, "duration_secs": 0.054, "input_count": 616, "invocations": 54}, "command.search.index.usec_1_8": {"invocations": 58531}, "command.fields": {"output_count": 616, "duration_secs": 0.039, "input_count": 616, "invocations": 54}, "dispatch.localSearch": {"duration_secs": 0.001, "invocations": 1}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"output_count": 4433, "duration_secs": 0.001, "input_count": 0, "invocations": 1}, "dispatch.evaluate.eval": {"duration_secs": 0.001, "invocations": 1}, "dispatch.stream.remote": {"output_count": 287501, "duration_secs": 3.039, "input_count": 0, "invocations": 53}, "dispatch.createdSearchResultInfrastructure": {"duration_secs": 0.457, "invocations": 1}, "command.prestats": {"output_count": 83, "duration_secs": 0.056, "input_count": 616, "invocations": 54}, "dispatch.writeStatus": {"duration_secs": 0.023, "invocations": 7}, "dispatch.evaluate.search": {"duration_secs": 0.291, "invocations": 2}, "command.search.rawdata": {"duration_secs": 0.968, "invocations": 45}, "dispatch.check_disk_usage": {"duration_secs": 0.002, "invocations": 1}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"output_count": 4429, "duration_secs": 0.001, "input_count": 0, "invocations": 1}, "command.search.fieldalias": {"output_count": 10051, "duration_secs": 0.258, "input_count": 10051, "invocations": 45}, "command.stats.execute_input": {"duration_secs": 0.03, "invocations": 55}, "startup.handoff": {"duration_secs": 13.971, "invocations": 9}, "dispatch.stream.local": {"duration_secs": 0.001, "invocations": 1}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"output_count": 48896, "duration_secs": 0.549, "input_count": 0, "invocations": 9}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"output_count": 54283, "duration_secs": 0.637, "input_count": 0, "invocations": 10}, "startup.configuration": {"duration_secs": 0.404, "invocations": 9}, "command.search.index.usec_64_512": {"invocations": 26}, "command.search.lookups": {"output_count": 10051, "duration_secs": 0.04, "input_count": 10051, "invocations": 45}, "dispatch.evaluate.stats": {"duration_secs": 0.001, "invocations": 1}, "command.search.summary": {"duration_secs": 0.028, "invocations": 54}, "dispatch.parserThread": {"duration_secs": 0.053, "invocations": 53}, "command.search.filter": {"duration_secs": 0.135, "invocations": 46}, "command.search.tags": {"output_count": 616, "duration_secs": 0.045, "input_count": 616, "invocations": 45}, "dispatch.fetch": {"duration_secs": 1.572, "invocations": 55}, "command.search": {"output_count": 620, "duration_secs": 3.031, "input_count": 71, "invocations": 55}, "dispatch.stream.remote.XXXXXips5.XXXXX": {"output_count": 48720, "duration_secs": 0.33, "input_count": 0, "invocations": 9}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"output_count": 60325, "duration_secs": 0.729, "input_count": 0, "invocations": 11}, "dispatch.evaluate": {"duration_secs": 0.29, "invocations": 1}}, "defaultTTL": "600", "diskUsage": 167936, "earliestTime": "2015-04-21T11:39:00.000-07:00", "eventIsTruncated": true, "isFinalized": false, "canSummarize": true, "isTimeCursored": true, "normalizedSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "defaultSaveTTL": "604800", "ttl": 120, "searchLatestTime": 1429642140, "resultIsStreaming": false, "eventIsStreaming": true, "isBatchModeSearch": true, "reportSearch": "stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "isFailed": false, "isZombie": false, "runDuration": 2.989, "priority": 5, "remoteSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "keywords": "eventcode::4625 eventcode::529 eventcode::530 eventcode::531 eventcode::532 eventcode::533 eventcode::534 eventcode::535 eventcode::536 eventcode::537 eventcode::539 index::*to* message::*fail*", "isRealTimeSearch": false, "eventSearch": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") ", "latestTime": "2015-04-21T11:49:00.000-07:00", "eventAvailableCount": 0, "isRemoteTimeline": false, "fieldMetadataResults": {"Source_Network_Address": {"groupby_rank": "2", "type": "unknown"}, "Logon_Type": {"groupby_rank": "3", "type": "unknown"}, "Account_Name": {"groupby_rank": "1", "type": "str"}, "host": {"groupby_rank": "0", "type": "unknown"}}, "isSavedSearch": true, "resultPreviewCount": 4, "bundleVersion": "13877816470879543412"}, "published": "2015-04-21T11:49:01.000-07:00", "author": "XXmeXX", "name": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") | stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "acl": {"perms": {"write": ["admin", "alert_manager", "power", "splunk-system-role", "XXmeXX", "to-inf"], "read": ["*", "XXmeXX"]}, "modifiable": true, "app": "search", "ttl": "120", "sharing": "global", "owner": "XXmeXX", "can_write": true}, "id": "https://127.0.0.1:8089/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642140_85"}], "paging": {"offset": 0, "perPage": 0, "total": 1}, "priority": "low", "links": {}, "origin": "https://127.0.0.1:8089/services/search/jobs", "generator": {"build": "245427", "version": "6.2.1"}, "urgency": "low"}
5cb660b2-5aa6-4eb8-9171-9c09dd3c5c91
{"paging": {"total": 1, "perPage": 0, "offset": 0}, "result_id": 0, "priority": "low", "generator": {"build": "245427", "version": "6.2.1"}, "incident_id": "5cb660b2-5aa6-4eb8-9171-9c09dd3c5c91", "impact": "medium", "ttl": 86400, "urgency": "low", "origin": "https://127.0.0.1:8089/services/search/jobs", "job_id": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642080_81", "severity": 4, "updated": "2015-04-21T11:48:06-07:00", "entry": [{"author": "XXmeXX", "name": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") | stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "acl": {"sharing": "global", "owner": "XXmeXX", "modifiable": true, "app": "search", "perms": {"write": ["admin", "alert_manager", "power", "splunk-system-role", "XXmeXX", "to-inf"], "read": ["*", "XXmeXX"]}, "can_write": true, "ttl": "120"}, "published": "2015-04-21T11:48:01.000-07:00", "updated": "2015-04-21T11:48:06.000-07:00", "links": {"search.log": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642080_81/search.log", "events": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642080_81/events", "results_preview": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642080_81/results_preview", "summary": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642080_81/summary", "control": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642080_81/control", "alternate": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642080_81", "timeline": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642080_81/timeline", "results": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642080_81/results"}, "id": "https://127.0.0.1:8089/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642080_81", "content": {"earliestTime": "2015-04-21T11:38:00.000-07:00", "diskUsage": 167936, "resultIsStreaming": false, "fieldMetadataEvents": {"Account_Name": {"type": "str"}}, "searchCanBeEventType": false, "defaultTTL": "600", "searchProviders": ["XXXXXesps1.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX", "XXXXXips4.XXXXX", "XXXXXips5.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX"], "messages": [], "fieldMetadataResults": {"host": {"type": "unknown", "groupby_rank": "0"}, "Account_Name": {"type": "str", "groupby_rank": "1"}, "Source_Network_Address": {"type": "unknown", "groupby_rank": "2"}, "Logon_Type": {"type": "unknown", "groupby_rank": "3"}}, "searchEarliestTime": 1429641480, "sid": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642080_81", "label": "Test Alert", "canSummarize": true, "runDuration": 3.312, "cursorTime": "1969-12-31T16:00:00.000-08:00", "reduceSearch": "sistats count by host Account_Name Source_Network_Address Logon_Type", "scanCount": 9236, "keywords": "eventcode::4625 eventcode::529 eventcode::530 eventcode::531 eventcode::532 eventcode::533 eventcode::534 eventcode::535 eventcode::536 eventcode::537 eventcode::539 index::*to* message::*fail*", "isGoodSummarizationCandidate": true, "statusBuckets": 0, "eventAvailableCount": 0, "isFailed": false, "isPreviewEnabled": false, "isTimeCursored": true, "eventCount": 787, "eventFieldCount": 0, "isDone": true, "doneProgress": 1, "eventSorting": "none", "isRemoteTimeline": false, "request": {"max_count": "500000", "buckets": "0", "rt_backfill": "0", "reduce_freq": "10", "index_earliest": "", "latest_time": "now", "index_latest": "", "auto_cancel": "0", "max_time": "0", "auto_pause": "0", "spawn_process": "1", "indexedRealtime": "", "lookups": "1", "ui_dispatch_view": "search", "earliest_time": "-10m", "ui_dispatch_app": "search", "time_format": "%FT%T.%Q%:z"}, "isBatchModeSearch": true, "defaultSaveTTL": "604800", "pid": "1756", "isPaused": false, "resultPreviewCount": 6, "isFinalized": false, "numPreviews": 0, "remoteSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "eventIsStreaming": true, "normalizedSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "delegate": "scheduler", "isSaved": false, "latestTime": "2015-04-21T11:48:00.000-07:00", "ttl": 120, "performance": {"command.prestats": {"output_count": 69, "invocations": 52, "duration_secs": 0.057, "input_count": 787}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"output_count": 4437, "invocations": 1, "duration_secs": 0.001, "input_count": 0}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"output_count": 4436, "invocations": 1, "duration_secs": 0.001, "input_count": 0}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"output_count": 54587, "invocations": 10, "duration_secs": 0.794, "input_count": 0}, "dispatch.evaluate": {"invocations": 1, "duration_secs": 0.409}, "command.stats.execute_input": {"invocations": 53, "duration_secs": 0.037}, "command.search.filter": {"invocations": 44, "duration_secs": 0.144}, "dispatch.evaluate.stats": {"invocations": 1, "duration_secs": 0.001}, "command.fields": {"output_count": 787, "invocations": 52, "duration_secs": 0.04, "input_count": 787}, "startup.configuration": {"invocations": 9, "duration_secs": 0.362}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"output_count": 54439, "invocations": 10, "duration_secs": 0.715, "input_count": 0}, "command.search.index.usec_8_64": {"invocations": 172}, "dispatch.fetch": {"invocations": 53, "duration_secs": 1.805}, "command.search.index.usec_1_8": {"invocations": 49629}, "dispatch.parserThread": {"invocations": 51, "duration_secs": 0.051}, "dispatch.stream.remote.XXXXXips5.XXXXX": {"output_count": 43306, "invocations": 8, "duration_secs": 0.288, "input_count": 0}, "dispatch.stream.local": {"invocations": 1, "duration_secs": 0.002}, "command.search.rawdata": {"invocations": 43, "duration_secs": 1.133}, "startup.handoff": {"invocations": 9, "duration_secs": 14.362}, "command.search": {"output_count": 793, "invocations": 53, "duration_secs": 2.985, "input_count": 57}, "command.search.tags": {"output_count": 787, "invocations": 43, "duration_secs": 0.043, "input_count": 787}, "dispatch.evaluate.search": {"invocations": 2, "duration_secs": 0.409}, "dispatch.stream.remote": {"output_count": 275711, "invocations": 51, "duration_secs": 2.995, "input_count": 0}, "command.addinfo": {"output_count": 787, "invocations": 52, "duration_secs": 0.052, "input_count": 787}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"output_count": 48911, "invocations": 9, "duration_secs": 0.511, "input_count": 0}, "dispatch.createdSearchResultInfrastructure": {"invocations": 1, "duration_secs": 0.444}, "command.search.fieldalias": {"output_count": 9236, "invocations": 43, "duration_secs": 0.22, "input_count": 9236}, "command.search.kv": {"invocations": 43, "duration_secs": 1.369}, "command.search.summary": {"invocations": 52, "duration_secs": 0.032}, "dispatch.check_disk_usage": {"invocations": 1, "duration_secs": 0.001}, "dispatch.stream.remote.XXXXXips4.XXXXX": {"output_count": 61164, "invocations": 11, "duration_secs": 0.684, "input_count": 0}, "command.stats.execute_output": {"invocations": 1, "duration_secs": 0.001}, "command.search.calcfields": {"output_count": 9236, "invocations": 43, "duration_secs": 0.035, "input_count": 9236}, "command.search.lookups": {"output_count": 9236, "invocations": 43, "duration_secs": 0.039, "input_count": 9236}, "command.search.index.usec_64_512": {"invocations": 31}, "dispatch.localSearch": {"invocations": 1, "duration_secs": 0.003}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"output_count": 4431, "invocations": 1, "duration_secs": 0.001, "input_count": 0}, "dispatch.writeStatus": {"invocations": 7, "duration_secs": 0.018}, "command.search.typer": {"output_count": 787, "invocations": 43, "duration_secs": 0.041, "input_count": 787}, "command.eval": {"output_count": 787, "invocations": 52, "duration_secs": 0.052, "input_count": 787}, "dispatch.evaluate.eval": {"invocations": 1, "duration_secs": 0.001}}, "eventSearch": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") ", "searchLatestTime": 1429642080, "dropCount": 0, "priority": 5, "isRealTimeSearch": false, "isZombie": false, "bundleVersion": "3791306767668187665", "fieldMetadataStatic": {"host": {"type": "unknown", "groupby_rank": "0"}, "Account_Name": {"type": "unknown", "groupby_rank": "1"}, "Source_Network_Address": {"type": "unknown", "groupby_rank": "2"}, "Logon_Type": {"type": "unknown", "groupby_rank": "3"}}, "dispatchState": "DONE", "resultCount": 6, "eventIsTruncated": true, "reportSearch": "stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "isSavedSearch": true}}], "links": {}}
incident_id not extracted by datamodel
{"impact": "medium", "links": {}, "ttl": 86400, "priority": "low", "entry": [{"content": {"latestTime": "2015-04-21T11:47:00.000-07:00", "defaultSaveTTL": "604800", "sid": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642020_79", "resultPreviewCount": 8, "canSummarize": true, "isRealTimeSearch": false, "resultIsStreaming": false, "numPreviews": 0, "eventAvailableCount": 0, "ttl": 120, "fieldMetadataStatic": {"Logon_Type": {"groupby_rank": "3", "type": "unknown"}, "Source_Network_Address": {"groupby_rank": "2", "type": "unknown"}, "Account_Name": {"groupby_rank": "1", "type": "unknown"}, "host": {"groupby_rank": "0", "type": "unknown"}}, "isTimeCursored": true, "delegate": "scheduler", "isPaused": false, "label": "Test Alert", "priority": 5, "searchLatestTime": 1429642020, "searchEarliestTime": 1429641420, "dropCount": 0, "eventSearch": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") ", "bundleVersion": "4131087042072784433", "isZombie": false, "normalizedSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "defaultTTL": "600", "performance": {"dispatch.localSearch": {"duration_secs": 0.002, "invocations": 1}, "dispatch.stream.remote.XXXXXips5.XXXXX": {"output_count": 43088, "input_count": 0, "duration_secs": 0.204, "invocations": 8}, "dispatch.writeStatus": {"duration_secs": 0.03, "invocations": 7}, "command.search.tags": {"output_count": 1040, "input_count": 1040, "duration_secs": 0.046, "invocations": 46}, "dispatch.evaluate": {"duration_secs": 0.292, "invocations": 1}, "command.search.rawdata": {"duration_secs": 0.997, "invocations": 46}, "command.search.fieldalias": {"output_count": 10120, "input_count": 10120, "duration_secs": 0.214, "invocations": 46}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"output_count": 4435, "input_count": 0, "duration_secs": 0.001, "invocations": 1}, "command.search": {"output_count": 1048, "input_count": 60, "duration_secs": 2.714, "invocations": 56}, "command.eval": {"output_count": 1040, "input_count": 1040, "duration_secs": 0.055, "invocations": 55}, "command.search.summary": {"duration_secs": 0.032, "invocations": 55}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"output_count": 4432, "input_count": 0, "duration_secs": 0.001, "invocations": 1}, "dispatch.stream.remote": {"output_count": 291493, "input_count": 0, "duration_secs": 2.723, "invocations": 54}, "startup.handoff": {"duration_secs": 13.136, "invocations": 9}, "dispatch.fetch": {"duration_secs": 1.541, "invocations": 56}, "dispatch.evaluate.search": {"duration_secs": 0.292, "invocations": 2}, "dispatch.evaluate.eval": {"duration_secs": 0.001, "invocations": 1}, "command.prestats": {"output_count": 73, "input_count": 1040, "duration_secs": 0.058, "invocations": 55}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"output_count": 59813, "input_count": 0, "duration_secs": 0.689, "invocations": 11}, "dispatch.stream.local": {"duration_secs": 0.001, "invocations": 1}, "dispatch.check_disk_usage": {"duration_secs": 0.001, "invocations": 1}, "command.search.calcfields": {"output_count": 10120, "input_count": 10120, "duration_secs": 0.038, "invocations": 46}, "command.stats.execute_input": {"duration_secs": 0.033, "invocations": 56}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"output_count": 4432, "input_count": 0, "duration_secs": 0.001, "invocations": 1}, "dispatch.parserThread": {"duration_secs": 0.054, "invocations": 54}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"output_count": 65165, "input_count": 0, "duration_secs": 0.578, "invocations": 12}, "command.search.typer": {"output_count": 1040, "input_count": 1040, "duration_secs": 0.036, "invocations": 46}, "dispatch.createdSearchResultInfrastructure": {"duration_secs": 0.354, "invocations": 1}, "command.addinfo": {"output_count": 1040, "input_count": 1040, "duration_secs": 0.055, "invocations": 55}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"output_count": 48813, "input_count": 0, "duration_secs": 0.485, "invocations": 9}, "command.search.index.usec_64_512": {"invocations": 22}, "dispatch.evaluate.stats": {"duration_secs": 0.001, "invocations": 1}, "command.search.index.usec_1_8": {"invocations": 50155}, "dispatch.stream.remote.XXXXXips4.XXXXX": {"output_count": 61315, "input_count": 0, "duration_secs": 0.764, "invocations": 11}, "command.stats.execute_output": {"duration_secs": 0.004, "invocations": 1}, "command.search.index.usec_512_4096": {"invocations": 1}, "command.search.kv": {"duration_secs": 1.312, "invocations": 46}, "command.fields": {"output_count": 1040, "input_count": 1040, "duration_secs": 0.031, "invocations": 55}, "command.search.index.usec_8_64": {"invocations": 146}, "command.search.filter": {"duration_secs": 0.115, "invocations": 47}, "startup.configuration": {"duration_secs": 0.412, "invocations": 9}, "command.search.lookups": {"output_count": 10120, "input_count": 10120, "duration_secs": 0.04, "invocations": 46}}, "eventIsTruncated": true, "resultCount": 8, "eventIsStreaming": true, "isFailed": false, "diskUsage": 167936, "request": {"ui_dispatch_app": "search", "auto_cancel": "0", "auto_pause": "0", "index_earliest": "", "time_format": "%FT%T.%Q%:z", "rt_backfill": "0", "ui_dispatch_view": "search", "max_time": "0", "buckets": "0", "spawn_process": "1", "reduce_freq": "10", "latest_time": "now", "index_latest": "", "indexedRealtime": "", "earliest_time": "-10m", "lookups": "1", "max_count": "500000"}, "isRemoteTimeline": false, "isFinalized": false, "remoteSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "scanCount": 10120, "isSavedSearch": true, "isSaved": false, "isGoodSummarizationCandidate": true, "earliestTime": "2015-04-21T11:37:00.000-07:00", "eventSorting": "none", "eventFieldCount": 0, "reduceSearch": "sistats count by host Account_Name Source_Network_Address Logon_Type", "searchProviders": ["XXXXXesps1.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX", "XXXXXips4.XXXXX", "XXXXXips5.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX"], "statusBuckets": 0, "isDone": true, "isPreviewEnabled": false, "fieldMetadataResults": {"Logon_Type": {"groupby_rank": "3", "type": "unknown"}, "Source_Network_Address": {"groupby_rank": "2", "type": "unknown"}, "Account_Name": {"groupby_rank": "1", "type": "str"}, "host": {"groupby_rank": "0", "type": "unknown"}}, "isBatchModeSearch": true, "messages": [], "runDuration": 2.901, "searchCanBeEventType": false, "pid": "1637", "doneProgress": 1, "cursorTime": "1969-12-31T16:00:00.000-08:00", "dispatchState": "DONE", "eventCount": 1040, "keywords": "eventcode::4625 eventcode::529 eventcode::530 eventcode::531 eventcode::532 eventcode::533 eventcode::534 eventcode::535 eventcode::536 eventcode::537 eventcode::539 index::*to* message::*fail*", "reportSearch": "stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "fieldMetadataEvents": {"Account_Name": {"type": "str"}}}, "acl": {"can_write": true, "owner": "XXmeXX", "app": "search", "sharing": "global", "modifiable": true, "ttl": "120", "perms": {"write": ["admin", "alert_manager", "power", "splunk-system-role", "XXmeXX", "to-inf"], "read": ["*", "XXmeXX"]}}, "links": {"results": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642020_79/results", "summary": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642020_79/summary", "control": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642020_79/control", "events": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642020_79/events", "alternate": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642020_79", "results_preview": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642020_79/results_preview", "search.log": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642020_79/search.log", "timeline": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642020_79/timeline"}, "updated": "2015-04-21T11:47:05.000-07:00", "published": "2015-04-21T11:47:01.000-07:00", "name": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") | stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "id": "https://127.0.0.1:8089/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642020_79", "author": "XXmeXX"}], "paging": {"perPage": 0, "offset": 0, "total": 1}, "severity": 4, "incident_id": "4da295a1-141d-48de-a2ee-e7eff2ce0e3b", "result_id": 0, "generator": {"version": "6.2.1", "build": "245427"}, "urgency": "low", "origin": "https://127.0.0.1:8089/services/search/jobs", "updated": "2015-04-21T11:47:05-07:00", "job_id": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429642020_79"}
incident_id not extracted by datamodel
{"job_id": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641960_77", "result_id": 0, "severity": 4, "impact": "medium", "links": {}, "ttl": 86400, "priority": "low", "entry": [{"name": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") | stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "id": "https://127.0.0.1:8089/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641960_77", "author": "XXmeXX", "content": {"canSummarize": true, "ttl": 120, "request": {"time_format": "%FT%T.%Q%:z", "buckets": "0", "max_time": "0", "ui_dispatch_app": "search", "auto_cancel": "0", "max_count": "500000", "latest_time": "now", "auto_pause": "0", "reduce_freq": "10", "index_latest": "", "earliest_time": "-10m", "index_earliest": "", "lookups": "1", "indexedRealtime": "", "rt_backfill": "0", "spawn_process": "1", "ui_dispatch_view": "search"}, "isSaved": false, "remoteSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "eventSearch": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") ", "isDone": true, "isRemoteTimeline": false, "priority": 5, "diskUsage": 167936, "eventCount": 1377, "numPreviews": 0, "isZombie": false, "scanCount": 10161, "resultPreviewCount": 9, "isFailed": false, "isPaused": false, "isPreviewEnabled": false, "searchProviders": ["XXXXXesps1.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX", "XXXXXips4.XXXXX", "XXXXXips5.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX"], "searchLatestTime": 1429641960, "messages": [], "reduceSearch": "sistats count by host Account_Name Source_Network_Address Logon_Type", "bundleVersion": "6809621089509359817", "normalizedSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "earliestTime": "2015-04-21T11:36:00.000-07:00", "searchEarliestTime": 1429641360, "cursorTime": "1969-12-31T16:00:00.000-08:00", "runDuration": 2.921, "isRealTimeSearch": false, "resultIsStreaming": false, "dropCount": 0, "delegate": "scheduler", "statusBuckets": 0, "label": "Test Alert", "eventSorting": "none", "defaultSaveTTL": "604800", "sid": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641960_77", "performance": {"dispatch.evaluate": {"duration_secs": 0.26, "invocations": 1}, "command.stats.execute_output": {"duration_secs": 0.001, "invocations": 1}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"input_count": 0, "duration_secs": 0.001, "output_count": 4436, "invocations": 1}, "command.search.typer": {"input_count": 1377, "duration_secs": 0.035, "output_count": 1377, "invocations": 44}, "dispatch.createdSearchResultInfrastructure": {"duration_secs": 0.282, "invocations": 1}, "command.search": {"input_count": 67, "duration_secs": 3.276, "output_count": 1386, "invocations": 54}, "dispatch.fetch": {"duration_secs": 1.831, "invocations": 54}, "command.search.rawdata": {"duration_secs": 1.181, "invocations": 44}, "dispatch.localSearch": {"duration_secs": 0.001, "invocations": 1}, "command.search.calcfields": {"input_count": 10161, "duration_secs": 0.041, "output_count": 10161, "invocations": 44}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"input_count": 0, "duration_secs": 0.425, "output_count": 43476, "invocations": 8}, "command.stats.execute_input": {"duration_secs": 0.038, "invocations": 54}, "command.search.tags": {"input_count": 1377, "duration_secs": 0.044, "output_count": 1377, "invocations": 44}, "dispatch.stream.local": {"duration_secs": 0.001, "invocations": 1}, "dispatch.evaluate.stats": {"duration_secs": 0.001, "invocations": 1}, "dispatch.writeStatus": {"duration_secs": 0.024, "invocations": 7}, "command.search.filter": {"duration_secs": 0.128, "invocations": 45}, "command.search.lookups": {"input_count": 10161, "duration_secs": 0.038, "output_count": 10161, "invocations": 44}, "command.search.index.usec_8_64": {"invocations": 160}, "dispatch.stream.remote": {"input_count": 0, "duration_secs": 3.287, "output_count": 280852, "invocations": 52}, "command.search.index.usec_64_512": {"invocations": 16}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"input_count": 0, "duration_secs": 0.001, "output_count": 4436, "invocations": 1}, "dispatch.evaluate.eval": {"duration_secs": 0.001, "invocations": 1}, "command.search.summary": {"duration_secs": 0.027, "invocations": 53}, "command.search.fieldalias": {"input_count": 10161, "duration_secs": 0.258, "output_count": 10161, "invocations": 44}, "dispatch.stream.remote.XXXXXips5.XXXXX": {"input_count": 0, "duration_secs": 0.417, "output_count": 38722, "invocations": 7}, "command.eval": {"input_count": 1377, "duration_secs": 0.054, "output_count": 1377, "invocations": 53}, "command.prestats": {"input_count": 1377, "duration_secs": 0.061, "output_count": 81, "invocations": 53}, "startup.handoff": {"duration_secs": 10.881, "invocations": 9}, "command.addinfo": {"input_count": 1377, "duration_secs": 0.053, "output_count": 1377, "invocations": 53}, "dispatch.check_disk_usage": {"duration_secs": 0.001, "invocations": 1}, "startup.configuration": {"duration_secs": 0.363, "invocations": 9}, "command.search.kv": {"duration_secs": 1.615, "invocations": 44}, "command.fields": {"input_count": 1377, "duration_secs": 0.029, "output_count": 1377, "invocations": 53}, "dispatch.parserThread": {"duration_secs": 0.052, "invocations": 52}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"input_count": 0, "duration_secs": 0.001, "output_count": 4431, "invocations": 1}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"input_count": 0, "duration_secs": 1.042, "output_count": 59422, "invocations": 11}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"input_count": 0, "duration_secs": 0.418, "output_count": 64553, "invocations": 12}, "dispatch.evaluate.search": {"duration_secs": 0.26, "invocations": 2}, "command.search.index.usec_1_8": {"invocations": 51939}, "dispatch.stream.remote.XXXXXips4.XXXXX": {"input_count": 0, "duration_secs": 0.981, "output_count": 61376, "invocations": 11}}, "eventIsTruncated": true, "fieldMetadataStatic": {"Logon_Type": {"groupby_rank": "3", "type": "unknown"}, "Source_Network_Address": {"groupby_rank": "2", "type": "unknown"}, "Account_Name": {"groupby_rank": "1", "type": "unknown"}, "host": {"groupby_rank": "0", "type": "unknown"}}, "keywords": "eventcode::4625 eventcode::529 eventcode::530 eventcode::531 eventcode::532 eventcode::533 eventcode::534 eventcode::535 eventcode::536 eventcode::537 eventcode::539 index::*to* message::*fail*", "reportSearch": "stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "isTimeCursored": true, "eventAvailableCount": 0, "fieldMetadataResults": {"Logon_Type": {"groupby_rank": "3", "type": "unknown"}, "Source_Network_Address": {"groupby_rank": "2", "type": "unknown"}, "Account_Name": {"groupby_rank": "1", "type": "str"}, "host": {"groupby_rank": "0", "type": "unknown"}}, "pid": "1536", "defaultTTL": "600", "isBatchModeSearch": true, "isFinalized": false, "isGoodSummarizationCandidate": true, "eventFieldCount": 0, "dispatchState": "DONE", "resultCount": 9, "eventIsStreaming": true, "fieldMetadataEvents": {"Account_Name": {"type": "str"}}, "isSavedSearch": true, "latestTime": "2015-04-21T11:46:00.000-07:00", "searchCanBeEventType": false, "doneProgress": 1}, "links": {"alternate": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641960_77", "results_preview": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641960_77/results_preview", "search.log": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641960_77/search.log", "results": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641960_77/results", "summary": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641960_77/summary", "control": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641960_77/control", "events": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641960_77/events", "timeline": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641960_77/timeline"}, "acl": {"ttl": "120", "perms": {"write": ["admin", "alert_manager", "power", "splunk-system-role", "XXmeXX", "to-inf"], "read": ["*", "XXmeXX"]}, "modifiable": true, "can_write": true, "owner": "XXmeXX", "app": "search", "sharing": "global"}, "updated": "2015-04-21T11:46:05.000-07:00", "published": "2015-04-21T11:46:01.000-07:00"}], "paging": {"offset": 0, "perPage": 0, "total": 1}, "incident_id": "535268ac-affc-42a3-81c6-6683ea7fee6b", "urgency": "low", "origin": "https://127.0.0.1:8089/services/search/jobs", "generator": {"version": "6.2.1", "build": "245427"}, "updated": "2015-04-21T11:46:05-07:00"}
incident_id not extracted by datamodel
{"ttl": 86400, "links": {}, "updated": "2015-04-21T11:45:10-07:00", "entry": [{"links": {"alternate": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641900_67", "results": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641900_67/results", "events": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641900_67/events", "control": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641900_67/control", "summary": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641900_67/summary", "search.log": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641900_67/search.log", "timeline": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641900_67/timeline", "results_preview": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641900_67/results_preview"}, "id": "https://127.0.0.1:8089/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641900_67", "content": {"searchEarliestTime": 1429641300, "isBatchModeSearch": true, "reduceSearch": "sistats count by host Account_Name Source_Network_Address Logon_Type", "isFailed": false, "sid": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641900_67", "isGoodSummarizationCandidate": true, "eventSorting": "none", "bundleVersion": "6189686548645837279", "remoteSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "isPreviewEnabled": false, "defaultTTL": "600", "searchProviders": ["XXXXXesps1.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX", "XXXXXips4.XXXXX", "XXXXXips5.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX"], "eventIsStreaming": true, "resultPreviewCount": 10, "defaultSaveTTL": "604800", "label": "Test Alert", "performance": {"command.fields": {"input_count": 1374, "output_count": 1374, "invocations": 51, "duration_secs": 0.039}, "command.stats.execute_output": {"invocations": 1, "duration_secs": 0.001}, "command.search.summary": {"invocations": 51, "duration_secs": 0.028}, "command.search.fieldalias": {"input_count": 9324, "output_count": 9324, "invocations": 42, "duration_secs": 0.3}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"input_count": 0, "output_count": 4429, "invocations": 1, "duration_secs": 0.001}, "dispatch.evaluate": {"invocations": 1, "duration_secs": 0.831}, "dispatch.localSearch": {"invocations": 1, "duration_secs": 0.023}, "command.search.index.usec_1_8": {"invocations": 50492}, "command.search.index.usec_512_4096": {"invocations": 1}, "dispatch.check_disk_usage": {"invocations": 1, "duration_secs": 0.001}, "startup.handoff": {"invocations": 9, "duration_secs": 33.387}, "command.search.rawdata": {"invocations": 42, "duration_secs": 1.64}, "command.search.tags": {"input_count": 1374, "output_count": 1374, "invocations": 42, "duration_secs": 0.042}, "command.search": {"input_count": 61, "output_count": 1384, "invocations": 52, "duration_secs": 4.46}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"input_count": 0, "output_count": 43402, "invocations": 8, "duration_secs": 1.163}, "command.search.typer": {"input_count": 1374, "output_count": 1374, "invocations": 42, "duration_secs": 0.038}, "dispatch.stream.remote.XXXXXips4.XXXXX": {"input_count": 0, "output_count": 56109, "invocations": 10, "duration_secs": 1.255}, "dispatch.stream.remote.XXXXXips5.XXXXX": {"input_count": 0, "output_count": 32493, "invocations": 6, "duration_secs": 0.37}, "dispatch.stream.local": {"invocations": 1, "duration_secs": 0.023}, "dispatch.parserThread": {"invocations": 50, "duration_secs": 0.073}, "command.search.index.usec_8_64": {"invocations": 153}, "command.search.lookups": {"input_count": 9324, "output_count": 9324, "invocations": 42, "duration_secs": 0.037}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"input_count": 0, "output_count": 64790, "invocations": 12, "duration_secs": 0.685}, "command.search.index.usec_4096_32768": {"invocations": 1}, "command.stats.execute_input": {"invocations": 52, "duration_secs": 0.032}, "command.search.filter": {"invocations": 43, "duration_secs": 0.149}, "command.prestats": {"input_count": 1374, "output_count": 76, "invocations": 51, "duration_secs": 0.089}, "dispatch.evaluate.eval": {"invocations": 1, "duration_secs": 0.002}, "command.eval": {"input_count": 1374, "output_count": 1374, "invocations": 51, "duration_secs": 0.053}, "dispatch.evaluate.stats": {"invocations": 1, "duration_secs": 0.002}, "command.addinfo": {"input_count": 1374, "output_count": 1374, "invocations": 51, "duration_secs": 0.051}, "dispatch.fetch": {"invocations": 52, "duration_secs": 2.216}, "dispatch.createdSearchResultInfrastructure": {"invocations": 1, "duration_secs": 0.538}, "dispatch.evaluate.search": {"invocations": 2, "duration_secs": 0.821}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"input_count": 0, "output_count": 4431, "invocations": 1, "duration_secs": 0.001}, "dispatch.writeStatus": {"invocations": 8, "duration_secs": 0.105}, "startup.configuration": {"invocations": 9, "duration_secs": 0.468}, "command.search.kv": {"invocations": 42, "duration_secs": 2.259}, "command.search.calcfields": {"input_count": 9324, "output_count": 9324, "invocations": 42, "duration_secs": 0.036}, "dispatch.stream.remote": {"input_count": 0, "output_count": 269430, "invocations": 50, "duration_secs": 4.484}, "command.search.index.usec_64_512": {"invocations": 20}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"input_count": 0, "output_count": 59340, "invocations": 11, "duration_secs": 1.008}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"input_count": 0, "output_count": 4436, "invocations": 1, "duration_secs": 0.001}}, "numPreviews": 0, "canSummarize": true, "isFinalized": false, "messages": [], "isRemoteTimeline": false, "eventIsTruncated": true, "fieldMetadataEvents": {"Account_Name": {"type": "str"}}, "dropCount": 0, "priority": 5, "resultCount": 10, "eventFieldCount": 0, "cursorTime": "1969-12-31T16:00:00.000-08:00", "diskUsage": 167936, "keywords": "eventcode::4625 eventcode::529 eventcode::530 eventcode::531 eventcode::532 eventcode::533 eventcode::534 eventcode::535 eventcode::536 eventcode::537 eventcode::539 index::*to* message::*fail*", "normalizedSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "isZombie": false, "isSaved": false, "earliestTime": "2015-04-21T11:35:00.000-07:00", "eventAvailableCount": 0, "isDone": true, "delegate": "scheduler", "pid": "651", "reportSearch": "stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "ttl": 120, "eventCount": 1374, "runDuration": 5.893, "fieldMetadataStatic": {"Source_Network_Address": {"groupby_rank": "2", "type": "unknown"}, "Logon_Type": {"groupby_rank": "3", "type": "unknown"}, "host": {"groupby_rank": "0", "type": "unknown"}, "Account_Name": {"groupby_rank": "1", "type": "unknown"}}, "latestTime": "2015-04-21T11:45:00.000-07:00", "searchCanBeEventType": false, "isPaused": false, "isTimeCursored": true, "eventSearch": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") ", "searchLatestTime": 1429641900, "fieldMetadataResults": {"Source_Network_Address": {"groupby_rank": "2", "type": "unknown"}, "Logon_Type": {"groupby_rank": "3", "type": "unknown"}, "host": {"groupby_rank": "0", "type": "unknown"}, "Account_Name": {"groupby_rank": "1", "type": "str"}}, "statusBuckets": 0, "isSavedSearch": true, "doneProgress": 1, "scanCount": 9324, "request": {"index_latest": "", "auto_cancel": "0", "reduce_freq": "10", "lookups": "1", "earliest_time": "-10m", "spawn_process": "1", "latest_time": "now", "max_count": "500000", "max_time": "0", "time_format": "%FT%T.%Q%:z", "indexedRealtime": "", "index_earliest": "", "ui_dispatch_view": "search", "rt_backfill": "0", "ui_dispatch_app": "search", "buckets": "0", "auto_pause": "0"}, "isRealTimeSearch": false, "resultIsStreaming": false, "dispatchState": "DONE"}, "published": "2015-04-21T11:45:02.000-07:00", "updated": "2015-04-21T11:45:10.000-07:00", "author": "XXmeXX", "name": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") | stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "acl": {"can_write": true, "ttl": "120", "app": "search", "perms": {"write": ["admin", "alert_manager", "power", "splunk-system-role", "XXmeXX", "to-inf"], "read": ["*", "XXmeXX"]}, "modifiable": true, "sharing": "global", "owner": "XXmeXX"}}], "job_id": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641900_67", "impact": "medium", "origin": "https://127.0.0.1:8089/services/search/jobs", "urgency": "low", "incident_id": "91281e25-4b15-4ab9-ba56-fddb9f30840a", "generator": {"version": "6.2.1", "build": "245427"}, "severity": 4, "result_id": 0, "paging": {"offset": 0, "perPage": 0, "total": 1}, "priority": "low"}
incident_id not extracted by datamodel
{"impact": "medium", "severity": 4, "priority": "low", "entry": [{"updated": "2015-04-21T11:44:05.000-07:00", "id": "https://127.0.0.1:8089/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641840_58", "name": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") | stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "links": {"control": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641840_58/control", "timeline": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641840_58/timeline", "search.log": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641840_58/search.log", "summary": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641840_58/summary", "results_preview": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641840_58/results_preview", "alternate": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641840_58", "events": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641840_58/events", "results": "/services/search/jobs/scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641840_58/results"}, "author": "XXmeXX", "content": {"isGoodSummarizationCandidate": true, "reduceSearch": "sistats count by host Account_Name Source_Network_Address Logon_Type", "label": "Test Alert", "priority": 5, "messages": [], "eventFieldCount": 0, "eventSearch": "search index=*to* (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625) AND Message=*Fail* NOT (Message=*XXXXX*) NOT (host=XXXXX OR host=XXXXX) | eval Account_Name=mvfilter(Account_Name!=\"-\") ", "bundleVersion": "3753771103027785362", "defaultSaveTTL": "604800", "fieldMetadataEvents": {"Account_Name": {"type": "str"}}, "resultIsStreaming": false, "dropCount": 0, "diskUsage": 163840, "defaultTTL": "600", "numPreviews": 0, "keywords": "eventcode::4625 eventcode::529 eventcode::530 eventcode::531 eventcode::532 eventcode::533 eventcode::534 eventcode::535 eventcode::536 eventcode::537 eventcode::539 index::*to* message::*fail*", "resultPreviewCount": 10, "eventAvailableCount": 0, "eventIsTruncated": true, "eventSorting": "none", "searchEarliestTime": 1429641240, "performance": {"dispatch.writeStatus": {"duration_secs": 0.025, "invocations": 7}, "command.stats.execute_output": {"duration_secs": 0.001, "invocations": 1}, "dispatch.stream.local": {"duration_secs": 0.001, "invocations": 1}, "command.search.index.usec_8_64": {"invocations": 133}, "dispatch.evaluate.search": {"duration_secs": 0.217, "invocations": 2}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"input_count": 0, "duration_secs": 0.624, "invocations": 8, "output_count": 43295}, "command.prestats": {"input_count": 1444, "duration_secs": 0.052, "invocations": 47, "output_count": 78}, "command.search.index.usec_1_8": {"invocations": 48959}, "command.search.calcfields": {"input_count": 9030, "duration_secs": 0.03, "invocations": 38, "output_count": 9030}, "command.search.typer": {"input_count": 1444, "duration_secs": 0.023, "invocations": 38, "output_count": 1444}, "dispatch.createdSearchResultInfrastructure": {"duration_secs": 0.306, "invocations": 1}, "startup.handoff": {"duration_secs": 11.959, "invocations": 9}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"input_count": 0, "duration_secs": 0.001, "invocations": 1, "output_count": 4436}, "command.fields": {"input_count": 1444, "duration_secs": 0.025, "invocations": 47, "output_count": 1444}, "command.search.summary": {"duration_secs": 0.022, "invocations": 47}, "dispatch.parserThread": {"duration_secs": 0.046, "invocations": 46}, "dispatch.stream.remote": {"input_count": 0, "duration_secs": 2.331, "invocations": 46, "output_count": 247960}, "dispatch.evaluate.stats": {"duration_secs": 0.001, "invocations": 1}, "command.search": {"input_count": 62, "duration_secs": 2.319, "invocations": 48, "output_count": 1454}, "command.addinfo": {"input_count": 1444, "duration_secs": 0.047, "invocations": 47, "output_count": 1444}, "dispatch.stream.remote.XXXXXips4.XXXXX": {"input_count": 0, "duration_secs": 0.695, "invocations": 9, "output_count": 50830}, "command.eval": {"input_count": 1444, "duration_secs": 0.047, "invocations": 47, "output_count": 1444}, "command.stats.execute_input": {"duration_secs": 0.026, "invocations": 48}, "command.search.lookups": {"input_count": 9030, "duration_secs": 0.028, "invocations": 38, "output_count": 9030}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"input_count": 0, "duration_secs": 0.001, "invocations": 1, "output_count": 4436}, "dispatch.stream.remote.XXXXXips1.XXXXX": {"input_count": 0, "duration_secs": 0.454, "invocations": 9, "output_count": 48772}, "dispatch.evaluate": {"duration_secs": 0.217, "invocations": 1}, "command.search.rawdata": {"duration_secs": 0.735, "invocations": 38}, "startup.configuration": {"duration_secs": 0.327, "invocations": 9}, "command.search.index.usec_64_512": {"invocations": 13}, "command.search.filter": {"duration_secs": 0.108, "invocations": 39}, "dispatch.stream.remote.XXXXXips3.XXXXX": {"input_count": 0, "duration_secs": 0.001, "invocations": 1, "output_count": 4429}, "command.search.tags": {"input_count": 1444, "duration_secs": 0.038, "invocations": 38, "output_count": 1444}, "dispatch.fetch": {"duration_secs": 1.413, "invocations": 48}, "dispatch.evaluate.eval": {"duration_secs": 0.001, "invocations": 1}, "dispatch.stream.remote.XXXXXips2.XXXXX": {"input_count": 0, "duration_secs": 0.249, "invocations": 11, "output_count": 59319}, "dispatch.localSearch": {"duration_secs": 0.001, "invocations": 1}, "dispatch.check_disk_usage": {"duration_secs": 0.001, "invocations": 1}, "command.search.fieldalias": {"input_count": 9030, "duration_secs": 0.171, "invocations": 38, "output_count": 9030}, "dispatch.stream.remote.XXXXXips5.XXXXX": {"input_count": 0, "duration_secs": 0.306, "invocations": 6, "output_count": 32443}, "command.search.kv": {"duration_secs": 1.23, "invocations": 38}}, "normalizedSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "isFinalized": false, "eventCount": 1444, "runDuration": 2.625, "isDone": true, "cursorTime": "1969-12-31T16:00:00.000-08:00", "earliestTime": "2015-04-21T11:34:00.000-07:00", "searchProviders": ["XXXXXesps1.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX", "XXXXXips4.XXXXX", "XXXXXips5.XXXXX", "XXXXXips1.XXXXX", "XXXXXips2.XXXXX", "XXXXXips3.XXXXX"], "sid": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641840_58", "pid": "352", "doneProgress": 1, "isPaused": false, "searchCanBeEventType": false, "eventIsStreaming": true, "scanCount": 9030, "ttl": 120, "latestTime": "2015-04-21T11:44:00.000-07:00", "canSummarize": true, "remoteSearch": "litsearch index=*to* ( EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539 OR EventCode=4625 ) AND Message=*Fail* NOT ( Message=*XXXXX* ) NOT ( host=XXXXX OR host=XXXXX ) | eval Account_Name=mvfilter(Account_Name!=\"-\") | addinfo type=count label=prereport_events | fields keepcolorder=t \"Account_Name\" \"Logon_Type\" \"Source_Network_Address\" \"host\" \"prestats_reserved_*\" \"psrsvd_*\" | prestats count by Account_Name Logon_Type Source_Network_Address host", "isPreviewEnabled": false, "searchLatestTime": 1429641840, "isZombie": false, "statusBuckets": 0, "resultCount": 10, "reportSearch": "stats count by host, Account_Name, Source_Network_Address, Logon_Type | search count>3", "request": {"time_format": "%FT%T.%Q%:z", "spawn_process": "1", "rt_backfill": "0", "reduce_freq": "10", "lookups": "1", "earliest_time": "-10m", "auto_cancel": "0", "index_earliest": "", "ui_dispatch_view": "search", "ui_dispatch_app": "search", "index_latest": "", "auto_pause": "0", "max_count": "500000", "indexedRealtime": "", "latest_time": "now", "buckets": "0", "max_time": "0"}, "isSaved": false, "isRemoteTimeline": false, "dispatchState": "DONE", "isTimeCursored": true, "fieldMetadataStatic": {"host": {"type": "unknown", "groupby_rank": "0"}, "Source_Network_Address": {"type": "unknown", "groupby_rank": "2"}, "Account_Name": {"type": "unknown", "groupby_rank": "1"}, "Logon_Type": {"type": "unknown", "groupby_rank": "3"}}, "isFailed": false, "isBatchModeSearch": true, "isSavedSearch": true, "isRealTimeSearch": false, "delegate": "scheduler", "fieldMetadataResults": {"host": {"type": "unknown", "groupby_rank": "0"}, "Source_Network_Address": {"type": "unknown", "groupby_rank": "2"}, "Account_Name": {"type": "str", "groupby_rank": "1"}, "Logon_Type": {"type": "unknown", "groupby_rank": "3"}}}, "acl": {"perms": {"read": ["*", "XXmeXX"], "write": ["admin", "alert_manager", "power", "splunk-system-role", "XXmeXX", "to-inf"]}, "owner": "XXmeXX", "ttl": "120", "can_write": true, "app": "search", "sharing": "global", "modifiable": true}, "published": "2015-04-21T11:44:01.000-07:00"}], "generator": {"version": "6.2.1", "build": "245427"}, "updated": "2015-04-21T11:44:05-07:00", "result_id": 0, "job_id": "scheduler__XXmeXX__search__RMD5ada861e3c4e7d72f_at_1429641840_58", "links": {}, "ttl": 86400, "origin": "https://127.0.0.1:8089/services/search/jobs", "incident_id": "4d7f1775-e231-44b2-a299-1bfc76f5a9b8", "paging": {"perPage":
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment