TrackMe - An application for Splunk administrators to monitor and track data sources and hosts availability the easy way.
\nSee: https://trackme.readthedocs.io
\nTrackMe provides a builtin Python based API, serviced by the Splunk API, and categorized by resource groups.
\nThese endpoints can be used to interract with TrackMe in a programmatic fashion, for instance to perform integration tasks with automation systems.
\nYou can use any combination of user and roles depending on your preferences, technically, using the TrackMe API endpoint requires read and write permissions to various objects hosted in the TrackMe namespace.
\nTrackMe contains a builtin role trackme_admin which defines required accesses to these objects, you can use this role and make sure the user that will be achieving the rest calls is member of this role, or inherits from it.
\nPrior to Splunk Splunk 7.3.0, the easiest is to used a standard login / password approach to authenticate against Splunk API, similary to:
\ncurl -k -u admin:'ch@ngeM3'\nAlternatively, it is possible to perform first the authentication and retrieve a temporary token to be used for the REST calls:
\n\nExample:
\ncurl -k https://localhost:8089/services/auth/login --data-urlencode username=svc_splunk --data-urlencode password=pass\n\n<response>\n <sessionKey>DWGNbGpJgSj30w0GxTAxMj8t0dZKjvjxLYaP^yphdluFN_FGz4gz^NhcgPCLDkjWH3BUQa1Vewt8FTF8KXyyfI09HqjOicIthMuBIB70dVJA8Jg</sessionKey>\n <messages>\n <msg code=\"\"></msg>\n </messages>\n</response>\n\nexport token=\"DWGNbGpJgSj30w0GxTAxMj8t0dZKjvjxLYaP^yphdluFN_FGz4gz^NhcgPCLDkjWH3BUQa1Vewt8FTF8KXyyfI09HqjOicIthMuBIB70dVJA8Jg\"\nA token remains valid for the time of a session. (1 hour by default)
\nThe token would be used as following:
\ncurl -k -H \"Authorization: Splunk $token\"\nSplunk 7.3.0 introduced the usage of proper authentication tokens, which is the recommended way to authenticate against splunkd API:
\nSee: Splunk docs JSON authentication token
\nOnce you have created an authentication token for the user to be used as the service account, using curl specify the bearer token:
\ncurl -k –H \"Authorization: Bearer <token>\"\nThis API collection relies on collection level variables, which you would override with environment level variables to define the Splunk target and credentials. (the collection uses basic auth for ease of development and demo)
\nBy default, the collection targets an environment running locally (localhost:8089) with a default common practice credentials for development and demos, create your own environment in Postman and assign your own values to target a real Splunk environment.
\nEach query targets an endpoint path using these variables, similary to:
\nhttps://<url_var>:<port_var>/services/trackme/v1/<endpoint_resource_group>/<endpoint>\nThis endpoint retrieves the entire acknowledgment collection returned as a JSON array, it requires a GET call with no data required.
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves an existing acknowledgment record by the Kvstore key, it requires a GET call with the following information:
\nThis endpoint retrieves an existing acknowledgment record by the object name, it requires a GET call with the following information:
\n\"object_category\": type of object (data_source / data_host / metric_host)
\n\"object\": name of the entity
\nThis endpoint will enable an acknowledgment by the object name, it requires a POST call with the following information:
\n\"object_category\": type of object (data_source / data_host / metric_host)
\n\"object\": name of the entity
\n\"ack_period\": period for the acknowledgment in seconds
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint will disable an acknowledgment by the object name, it requires a POST call with the following information:
\n\"object_category\": type of object (data_source / data_host / metric_host)
\n\"object\": name of the entity
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nAcknowledgments allow silencing an entity alert for a given period of time automatically.
\nSee: https://trackme.readthedocs.io/en/latest/userguide.html#alerts-acknowledgment
\n","event":[{"listen":"prerequest","script":{"id":"88fdd325-6b28-4b87-b601-fa02a41da3b9","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"36331df1-6679-46fa-83a9-fdfc21260f0f","type":"text/javascript","exec":[""]}}],"_postman_id":"89e07975-4d1a-42c3-ba12-d9391f65d8db","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the entire data sources collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves an existing data source record by the Kvstore key, it requires a GET call with the following information:
\nThis endpoint retrieves an existing data source record by the data source name (data_name), it requires a GET call with the following information:
\nThis endpoint enables data monitoring for an existing data source by the data source name (data_name), it requires a POST call with the following information:
\n\"data_name\": name of the data source
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint disables data monitoring for an existing data source by the data source name (data_name), it requires a POST call with the following information:
\n\"data_name\": name of the data source
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint updates the priority definition for an existing data source by the data source name (data_name), it requires a POST call with the following information:
\n\"data_name\": name of the data source
\n\"priority\": priority value, valid options are low / medium / high
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint configures the lagging policy for an existing data source, it requires a POST call with the following information:
\n\"data_name\": name of the data source
\n\"data_lag_alert_kpis\": KPIs policy to be applied, valid options are all_kpis / lag_ingestion_kpi / lag_event_kpi
\n\"data_max_lag_allowed\": maximal accepted lagging value in seconds, must be an integer
\n\"data_override_lagging_class\": overrides lagging classes, valid options are true / false
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint configures the minimal number of distinct hosts count for an existing data source, it requires a POST call with the following information:
\n\"data_name\": name of the data source
\n\"data_max_lag_allowed\": minimal accepted number of distinct count hosts, must be an integer
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint configures the week days monitoring rule for an existing data source, it requires a POST call with the following information:
\n\"data_name\": name of the data source
\n\"data_monitoring_wdays\": the week days rule, valid options are manual:all_days / manual:monday-to-friday / manual:monday-to-saturday / [ 0, 1, 2, 3, 4, 5, 6 ] where Sunday is 0
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint configures the week days monitoring rule for an existing data source, it requires a POST call with the following information:
\n\"data_name\": name of the data source
\n\"OutlierMinEventCount\": the minimal number of events, if set to anything bigger than 0, the lower bound becomes a static value, needs to be an integer, default to 0 (disabled)
\n\"OutlierLowerThresholdMultiplier\": The lower bound threshold multiplier, must be an integer, defaults to 4
\n\"OutlierUpperThresholdMultiplier\": The upper bound threshold multiplier, must be integer, defaults to 4
\n\"OutlierAlertOnUpper\": Enables / Disables alerting on upper outliers detection, valid options are true / false, defaults to false
\n\"OutlierTimePeriod\": relative time period for outliers calculation, default to -7d
\n\"OutlierSpan\": span period Splunk notation for outliers UI rendering, defaults to 5m>\"\n\"enable_behaviour_analytic\": \"Enables / Disables outliers detection for that object, valid options are true / false, defaults to true
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint performs a temporary deletion of an existing data source, it requires a DELETE call with the following information:
\n\"data_name\": name of the data source
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nNote: A temporary deletion removes the entity and its configuration, if search conditions such as data avaibility allow it, the same entitiy will be re-created automatically by the Trackers.
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint performs a permanent deletion of an existing data source, it requires a DELETE call with the following information:
\n\"data_name\": name of the data source
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nNote: A permanent deletion removes the entity and its configuration, in addition its a specific audit record to prevent the entity from being created as long as the audit record is not purged. if the audit record is purged and the search conditions such as data avaibility allow it, the same entitiy will be re-created automatically by the Trackers.
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint enables the data sampling feature for an existing data source by the data source name (data_name), it requires a POST call with the following information:
\n\"data_name\": name of the data source
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint disables the data sampling feature for an existing data source by the data source name (data_name), it requires a POST call with the following information:
\n\"data_name\": name of the data source
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint enables the data sampling feature for an existing data source by the data source name (data_name), it requires a POST call with the following information:
\n\"data_name\": name of the data source
\n\"data_sampling_nr\": number of records to be sampled per data source and data sampling execution (defaults to 100 at first sampling, then 50)
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nData sources are the main entities in TrackMe, representing a Splunk data flow broken by indexes and sourcetypes. (or extended with virtual Elastic Sources)
\nSee: https://trackme.readthedocs.io/en/latest/userguide.html#data-sources-tracking-and-features
\n","event":[{"listen":"prerequest","script":{"id":"88f6d44b-e603-4290-ac1d-54c4a7ee219d","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"762f7f4b-c102-4820-b1b9-ba0e52bcd473","type":"text/javascript","exec":[""]}}],"_postman_id":"12d46e00-11f9-468c-af9e-411679ade45d","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the entire data hosts collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves an existing data host record by the Kvstore key, it requires a GET call with the following information:
\nThis endpoint retrieves an existing data host record by the data host name (data_host), it requires a GET call with the following information:
\nThis endpoint enables data monitoring for an existing data host by the data host name (data_host), it requires a POST call with the following information:
\n\"data_host\": name of the data host
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint disables data monitoring for an existing data host by the data host name (data_host), it requires a POST call with the following information:
\n\"data_host\": name of the data host
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint retrieves an existing data source record by the Kvstore key, it requires a GET call with the following information::
\n\"data_host\": name of the data host
\n\"priority\": priority value, valid options are low / medium / high
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint resets (removal of index and sourcetype knowledge) an existing data host by the data host name (data_host), it requires a POST call with the following information:
\n\"data_host\": name of the data host
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint configures the lagging policy for an existing data host, it requires a POST call with the following information:
\n\"data_host\": name of the data host
\n\"data_lag_alert_kpis\": KPIs policy to be applied, valid options are all_kpis / lag_ingestion_kpi / lag_event_kpi
\n\"data_max_lag_allowed\": maximal accepted lagging value in seconds, must be an integer
\n\"data_override_lagging_class\": overrides lagging classes, valid options are true / false
\n\"data_host_alerting_policy\": policy alerting, valid options are global_policy / track_per_sourcetype / track_per_host
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint configures the week days monitoring rule for an existing data host, it requires a POST call with the following information:
\n\"data_host\": name of the data host
\n\"data_monitoring_wdays\": the week days rule, valid options are manual:all_days / manual:monday-to-friday / manual:monday-to-saturday / [ 0, 1, 2, 3, 4, 5, 6 ] where Sunday is 0
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint configures the week days monitoring rule for an existing data host, it requires a POST call with the following information:
\n\"data_host\": name of the data host
\n\"OutlierMinEventCount\": the minimal number of events, if set to anything bigger than 0, the lower bound becomes a static value, needs to be an integer, default to 0 (disabled)
\n\"OutlierLowerThresholdMultiplier\": The lower bound threshold multiplier, must be an integer, defaults to 4
\n\"OutlierUpperThresholdMultiplier\": The upper bound threshold multiplier, must be integer, defaults to 4
\n\"OutlierAlertOnUpper\": \"Enables / Disables alerting on upper outliers detection, valid options are true / false, defaults to false
\n\"OutlierTimePeriod\": relative time period for outliers calculation, default to -7d
\n\"OutlierSpan\": span period Splunk notation for outliers UI rendering, defaults to 5m
\n\"enable_behaviour_analytic\": \"Enables / Disables outliers detection for that object, valid options are true / false, defaults to true
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint performs a temporary deletion of an existing data host, it requires a DELETE call with the following information:
\n\"data_host\": name of the data host
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nNote: A temporary deletion removes the entity and its configuration, if search conditions such as data avaibility allow it, the same entitiy will be re-created automatically by the Trackers.
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint performs a permanent deletion of an existing data host, it requires a DELETE call with the following information:
\n\"data_host\": name of the data host
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nNote: A permanent deletion removes the entity and its configuration, in addition its a specific audit record to prevent the entity from being created as long as the audit record is not purged. if the audit record is purged and the search conditions such as data avaibility allow it, the same entitiy will be re-created automatically by the Trackers.
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"Data hosts shows data discovered for each host sending events to Splunk.
\nSee: https://trackme.readthedocs.io/en/latest/userguide.html#data-hosts-tracking-and-features
\n","event":[{"listen":"prerequest","script":{"id":"40e63eb5-0ee6-486e-8c40-51f205bfc97e","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"5b6cba06-b702-45dc-8ce2-a80ace3a1efc","type":"text/javascript","exec":[""]}}],"_postman_id":"3d4892e9-131b-444a-b35b-208f8e346e19","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the entire metric hosts collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves an existing metric host record by the Kvstore key, it requires a GET call with the following information:
\nThis endpoint retrieves an existing metric host record by the metric host name (metric_host), it requires a GET call with the following information:
\nThis endpoint enables data monitoring for an existing metric host by the metric host name (metric_host), it requires a POST call with the following information:
\n\"metric_host\": name of the metric host
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint disables data monitoring for an existing metric host by the metric host name (metric_host), it requires a POST call with the following information:
\n\"metric_host\": name of the metric host
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint updates the priority definition for an existing metric host, it requires a POST call with the following information:
\n\"metric_host\": name of the metric host
\n\"priority\": priority value, valid options are low / medium / high
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint resets (removal of indexes and metrics knowledge) an existing metric host by the metric host name (metric_host), it requires a POST call with the following information:
\n\"metric_host\": name of the metric host
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint performs a temporary deletion of an existing metric host, it requires a DELETE call with the following information:
\n\"metric_host\": name of the metric host
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nNote: A temporary deletion removes the entity and its configuration, if search conditions such as data avaibility allow it, the same entitiy will be re-created automatically by the Trackers.
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint performs a permanent deletion of an existing metric host, it requires a DELETE call with the following information:
\n\"metric_host\": name of the metric host
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nNote: A permanent deletion removes the entity and its configuration, in addition its a specific audit record to prevent the entity from being created as long as the audit record is not purged. if the audit record is purged and the search conditions such as data avaibility allow it, the same entitiy will be re-created automatically by the Trackers.
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"Metric hosts shows metrics discovered for each host sending metrics to Splunk.
\nSee: https://trackme.readthedocs.io/en/latest/userguide.html#metric-hosts-tracking-and-features
\n","event":[{"listen":"prerequest","script":{"id":"51a966b4-18c7-4b52-acc8-8ec67cb008ec","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"faf6c147-9d50-42ec-9b54-d7f66191432a","type":"text/javascript","exec":[""]}}],"_postman_id":"385e42eb-ecbb-45cf-adfd-99dc1ad585d1","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the entired shared Elastic Sources collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the entired dedicated Elastic Sources collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves a shared Elastic Source configuration stored in the collection returned as a JSON array, it requires a GET call with the following information:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves a dedicated Elastic Source configuration stored in the collection returned as a JSON array, it requires a GET call with the following information:
\nThis endpoint create a new shared Elastic Source, if the entity already exists it will be updated using the data provided, it requires a POST call with the following information:
\n\"data_name\": name of the Elastic Source
\n\"search_constraint\": the SPL code for this entity, double quotes need to be escaped
\n\"search_mode\": the search mode, valid options are tstats / raw / from / mstats / rest_tstats / rest_raw / rest_from / rest_mstats
\n\"elastic_index\": pseudo index value, this value will be used in the UI but has no impacts on the search
\n\"elastic_sourcetype\": pseudo sourcetype value name, this value will be used in the UI but has no impacts on the search
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nDefining the search constraint:
\ntstats: this represents the where part of a tstats search, as: <index=my_index source=my_source>
raw: Any filter that is before stats calculation, as: <index=my_index tag=authentication app=my_application>
from (datamodel): a search using from is in 2 parts with a pipe separation, where the 1st segment is the object and the 2nd a search constraint, as: <datamodel:\"Authentication\" | search user=\"*\" action=\"success\" app=\"my_application\">
from (lookup): A lookup can be monitored with the from command, it requires the lookup to have a time field concept, and a field _time in epoch time format needs to be created using an eval function with strftime/strptime, such as: <lookup:\"my_lookup\" | eval _time=strptime(lastUpdated, \"%d/%m/%Y %H:%M:%S\")>
mstats: Allows monitoring metric indexes according to your constraints including dimensions, as: <index=\"k8s_metrics\" metric_name=\"k8s.*\" cluster_name=\"production\">
rest: these are special remote searches performed against the Splunk API using the SPL rest command. This allows tracking data that is not available to the search head(s) hosting TrackMe.
\nSyntax examples for rest searches, the first part before the pipe needs to contain the rest target:
\n<splunk_server=\"my_search_head\" | index=my_index source=my_source>
<splunk_server_group=\"dmc_searchheadclustergroup_shc1\" | lookup:asset_cmdb_lookup | eval _time=strptime(lastUpdated, \"%d/%m/%Y %H:%M:%S\")>
Filters can include a time range which will override the default 4 hours time range of the wrapper tracker, as: <earliest=”-15m” latest=”+15m”>
This endpoint create a new shared Elastic Source, if the entity already exists it will be updated using the data provided, it requires a POST call with the following information:
\nNote: if the entity exists already, both the collection and the scheduled report (including the search constraint) will be updated
\n\"data_name\": name of the Elastic Source
\n\"search_constraint\": the SPL code for this entity, double quotes need to be escaped
\n\"search_mode\": the search mode, valid options are tstats / raw / from / mstats / rest_tstats / rest_raw / rest_from / rest_mstats
\n\"elastic_index\": pseudo index value, this value will be used in the UI but has no impacts on the search
\n\"elastic_sourcetype\": pseudo sourcetype value name, this value will be used in the UI but has no impacts on the search
\n\"earliest_time\": OPTIONAL: earliest time for the scheduled report definition, if unset will be defined to -4h
\n\"latest_time\": OPTIONAL: latest time for the scheduled report definition, if unset will be defined to -4h
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nDefining the search constraint:
\ntstats: this represents the where part of a tstats search, as: <index=my_index source=my_source>
raw: Any filter that is before stats calculation, as: <index=my_index tag=authentication app=my_application>
from (datamodel): a search using from is in 2 parts with a pipe separation, where the 1st segment is the object and the 2nd a search constraint, as: <datamodel:\"Authentication\" | search user=\"*\" action=\"success\" app=\"my_application\">
from (lookup): A lookup can be monitored with the from command, it requires the lookup to have a time field concept, and a field _time in epoch time format needs to be created using an eval function with strftime/strptime, such as: <lookup:\"my_lookup\" | eval _time=strptime(lastUpdated, \"%d/%m/%Y %H:%M:%S\")>
mstats: Allows monitoring metric indexes according to your constraints including dimensions, as: <index=\"k8s_metrics\" metric_name=\"k8s.*\" cluster_name=\"production\">
rest: these are special remote searches performed against the Splunk API using the SPL rest command. This allows tracking data that is not available to the search head(s) hosting TrackMe.
\nSyntax examples for rest searches, the first part before the pipe needs to contain the rest target:
\n<splunk_server=\"my_search_head\" | index=my_index source=my_source>
<splunk_server_group=\"dmc_searchheadclustergroup_shc1\" | lookup:asset_cmdb_lookup | eval _time=strptime(lastUpdated, \"%d/%m/%Y %H:%M:%S\")>
Filters can include a time range which will override the default 4 hours time range of the wrapper tracker, as: <earliest=”-15m” latest=”+15m”>
This endpoint deletes a shared Elastic Source, it requires a DELETE call with the following information:
\n\"data_name\": name of the Elastic Source
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nNotes:
\nThe elastic source record is deleted from the shared Elastic Sources collection
\nThe associated record in the data sources collection is deleted
\nAll settings related to these objects will be removed permanently after being audited
\nThis endpoint deletes a dedicated Elastic Source, it requires a DELETE call with the following information:
\n\"data_name\": name of the Elastic Source
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nNotes:
\nThe elastic source record is deleted from the shared Elastic Sources collection
\nThe associated scheduled report is deleted
\nThe associated record in the data sources collection is deleted
\nAll settings related to these objects will be removed permanently after being audited
\nThe Elastic sources feature provides a builtin workflow to create virtual data sources based on any constraints and any Splunk language.
\nSee: https://trackme.readthedocs.io/en/latest/userguide.html#elastic-sources
\n","event":[{"listen":"prerequest","script":{"id":"8f4d81b9-1500-4f55-a558-5a2683d79c1a","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"5f377270-9453-4053-8460-1296cfd0450a","type":"text/javascript","exec":[""]}}],"_postman_id":"d1ff5cb3-0a3c-496f-a50d-9bc0e336552a","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current maintenance mode collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint enables the maintenance mode, it requires a POST call with the following information:
\nOPTIONAL: the duration of the maintenance window in seconds, if unspecified and maintenance_mode_end is not specified either, defaults to now plus 24 hours
\nOPTIONAL: the date time in epochtime format for the end of the maintenance window, it is overriden by maintenance_duration if specified, defaults to now plus 24 hours if not specified and maintenance_duration is not specified
\nOPTIONAL: the date time in epochtime format for the start of the maintennce window, defaults to now if not specified
\nOPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint disables the maintenance mode, it requires a POST call with the following information:
\nImmediately stops the maintenance window:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"The maintenance mode feature provides a builtin workflow to temporary silent all alerts from TrackMe for a given period of time, which can be scheduled in advance.
\nSee: https://trackme.readthedocs.io/en/latest/userguide.html#maintenance-mode
\n","event":[{"listen":"prerequest","script":{"id":"8e7a9657-3650-4e71-bb4f-eea87e0c3580","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"ac12fdef-c89e-4ec7-83d8-fe9483552322","type":"text/javascript","exec":[""]}}],"_postman_id":"d03ca571-cfa4-44f4-8dae-7afb1d6652f4","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current allow list collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current allow list collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current allow list collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint adds a new allow list record for data sources, it requires a POST call with the following information:
\n\"data_index\": name of the index to be allowed, wildcards are accepted
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint deletes an allow list record for data sources, it requires a DELETE call with the following information:
\n\"data_index\": name of the index to be allowed, wildcards are accepted
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint adds a new allow list record for data hosts, it requires a POST call with the following information:
\n\"data_index\": name of the index to be allowed, wildcards are accepted
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint deletes an allow list record for data hosts, it requires a DELETE call with the following information:
\n\"data_index\": name of the index to be allowed, wildcards are accepted
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint adds a new allow list record for metric hosts, it requires a POST call with the following information:
\n\"metric_index\": name of the index to be allowed, wildcards are accepted
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint deletes an allow list record for metric hosts, it requires a DELETE call with the following information:
\n\"metric_index\": name of the index to be allowed, wildcards are accepted
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nAllowlisting provides a framework to easily restrict the entire scope of TracKme to an explicit list of allowed indexes.
\nSee: https://trackme.readthedocs.io/en/latest/userguide.html#allowlisting-blocklisting
\n","event":[{"listen":"prerequest","script":{"id":"77469d12-2426-4d46-a624-676b7777fb07","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"17d2e8cc-b7d3-4f30-a4eb-b873ea34e54c","type":"text/javascript","exec":[""]}}],"_postman_id":"2f08dc8b-5857-4eb8-b7fc-c925064d137e","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current block list collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current block list collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current block list collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current block list collection returned as a JSON array, it requires a GET call with no data required
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current block list collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current block list collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current block list collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current block list collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current block list collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the current block list collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint adds a new record returned as a JSON array, it requires a POST call with no data required:
\n\"data_host\": value to be added to the blocklist, accepts wildcards and regular expressions
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint adds a new record returned as a JSON array, it requires a POST call with no data required:
\n\"data_index\": value to be added to the blocklist, accepts wildcards and regular expressions
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint adds a new record returned as a JSON array, it requires a POST call with no data required:
\n\"data_sourcetype\": value to be added to the blocklist, accepts wildcards and regular expressions
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint adds a new record returned as a JSON array, it requires a POST call with no data required:
\n\"data_name\": value to be added to the blocklist, accepts wildcards and regular expressions
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint adds a new record returned as a JSON array, it requires a POST call with no data required:
\n\"data_host\": value to be added to the blocklist, accepts wildcards and regular expressions
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint adds a new record returned as a JSON array, it requires a POST call with no data required:
\n\"data_index\": value to be added to the blocklist, accepts wildcards and regular expressions
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint adds a new record returned as a JSON array, it requires a POST call with no data required:
\n\"data_sourcetype\": value to be added to the blocklist, accepts wildcards and regular expressions
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint adds a new record returned as a JSON array, it requires a POST call with no data required:
\n\"metric_host\": value to be added to the blocklist, accepts wildcards and regular expressions
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint adds a new record returned as a JSON array, it requires a POST call with no data required:
\n\"metric_index\": value to be added to the blocklist, accepts wildcards and regular expressions
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint adds a new record returned as a JSON array, it requires a POST call with no data required:
\n\"metric_category\": value to be added to the blocklist, accepts wildcards and regular expressions
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint deletes an existing record returned as a JSON array, it requires a DELETE call with the following arguments:
\n\"data_host\": value to be removed from the collection
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint deletes an existing record returned as a JSON array, it requires a DELETE call with the following arguments:
\n\"data_index\": value to be removed from the collection
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint deletes an existing record returned as a JSON array, it requires a DELETE call with the following arguments:
\n\"data_sourcetype\": value to be removed from the collection
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint deletes an existing record returned as a JSON array, it requires a DELETE call with the following arguments:
\n\"data_name\": value to be removed from the collection
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint deletes an existing record returned as a JSON array, it requires a DELETE call with the following arguments:
\n\"data_host\": value to be removed from the collection
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint deletes an existing record returned as a JSON array, it requires a DELETE call with the following arguments:
\n\"data_index\": value to be removed from the collection
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint deletes an existing record returned as a JSON array, it requires a DELETE call with the following arguments:
\n\"data_sourcetype\": value to be removed from the collection
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint deletes an existing record returned as a JSON array, it requires a DELETE call with the following arguments:
\n\"metric_host\": value to be removed from the collection
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint deletes an existing record returned as a JSON array, it requires a DELETE call with the following arguments:
\n\"metric_index\": value to be removed from the collection
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nThis endpoint deletes an existing record returned as a JSON array, it requires a DELETE call with the following arguments:
\n\"metric_category\": value to be removed from the collection
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nBlocklisting provides the opposite feature on a per index / sourcetype / host feature.
\nSee: https://trackme.readthedocs.io/en/latest/userguide.html#allowlisting-blocklisting
\n","event":[{"listen":"prerequest","script":{"id":"364da7ab-95fc-42f4-b6c8-19478a9f2dec","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"2bca8c3a-8c2d-4e11-aec5-a3cae1fd9ef1","type":"text/javascript","exec":[""]}}],"_postman_id":"436c2497-0a53-4af4-84ff-dd76bb5c15c2","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the entire Logical Groups collection returned as a JSON array, it requires a GET call with no data required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieve a specific logical group record, it requires a GET call with the following information:
\nThis endpoint creates a new logical group, it requires a POST call with the following data required:
\n\"object_group_name\": name of the logical group to created
\n\"object_group_members\": comma separated list of the group members
\n\"object_group_min_green_percent\": OPTIONAL: minimal percentage of hosts that need to be green for the logical group to be green, if unset defaults to 50. Recommended options for this value: 12.5 / 33.33 / 50
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nIf the logical group exists already, it will be updated with the information provided.
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint associates an object (data host or metric host) with an existing logical group (existing members of the logical groups are preserved and this object membership will be removed), it requires a POST call with the following data required:
\nThis endpoint unassociates an object (data host or metric host) from a logical group it is member of (existing associations of the logical groups are preserved), it requires a POST call with the following data required:
\nThis endpoint deletes a logical group, it requires a DELETE call with the following data required:
\n\"object_group_name\": name of the logical group to be removed
\n\"update_comment\": OPTIONAL: a comment for the update, comments are added to the audit record, if unset will be defined to: API update
\nLogical groups are groups of entities that will be considered as an ensemble for monitoring purposes.
\nSee: https://trackme.readthedocs.io/en/latest/userguide.html#logical-groups-clusters
\n","event":[{"listen":"prerequest","script":{"id":"dfe3eaad-67ad-46d5-b770-124f75fe7ecd","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"7e6844b7-68ed-4539-98ce-ebc7f82dad1c","type":"text/javascript","exec":[""]}}],"_postman_id":"700d79f0-cb06-4566-9253-83e7a463013a","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"This endpoint retrieves the data sampling collection, it requires a GET call with no options required:
\n","auth":{"type":"basic","basic":{"basicConfig":[{"key":"username","value":"admin"},{"key":"password","value":"ch@ngeM3"}],"advancedConfig":[{"key":"saveHelperData","value":"