Broken Hosts Lookup¶
- ::
- implemented in kvstore describe how ordering matters case matching wildcards how editing works through the dashboard
Using the Broken Hosts Lookup¶
There are seven fields in this lookup table (all fields are case insensitive):
index
- The index for the data that you would like to match - this field does accept wildcards - this field is requiredsourcetype
- The sourcetype for the data that you would like to match - this field does accept wildcards - this field is requiredhost
- The host for the data that you would like to match - this field does accept wildcards - this field is requiredlateSecs
- The amount of time (in seconds) that the index/sourcetype/host combination is allowed to be late before it alerts - this field is requiredsuppressUntil
- Alerts for the index/sourcetype/host combination will be suppressed until this date - since we use the “convert auto()” function for this field, you can use any date format that converts to a number - we recommend: “MM/DD/YYYY HH:MM:SS” or epoch time - this field is optionalcontact
- The email address where you would like the alert to be sent - if this is blank, the email address from the default_contact macro will be used - this field is optionalcomments
- Any comments that you would like to add for that line of the lookup table. This information is not used in the alert. This field is typically used to record information about why the entry is needed, when it was added, who added it, or any other details. This field is optional
Ordering¶
Ordering of entries in the Broken Hosts Lookup is important, but the Broken Hosts App ships with a saved search that will re-order the lookup table in a logical way. As a result of several years analyzing expected behavior across our customers, we’ve determined that the following order is as follows:
- Entries where index=* AND sourcetype=* AND alerting is temporarily suppressed
- Entries where sourcetype=* AND alerting is temporarily suppressed
- Entries where index=* AND alerting is temporarily suppressed
- Entries where host=* AND alerting is temporarily suppressed
- Entries where index=* AND host=* AND alerting is temporarily suppressed
- Entries where sourcetype=* AND host=* AND alerting is temporarily suppressed
- Entries where alerting is temporarily suppressed
- Entries where index=* AND sourcetype=* AND alerting is permanently suppressed
- Entries where lateSecs is temporarily modified
- Entries where sourcetype=* AND lateSecs is temporarily modified
- Entries where index=* AND lateSecs is temporarily modified
- Entries where host=* AND lateSecs is temporarily modified
- Entries where index=* AND sourcetype=* AND lateSecs is temporarily modified
- Entries where index=* AND host=* AND lateSecs is temporarily modified
- Entries where sourcetype=* AND host=* AND lateSecs is temporarily modified
- Entries where alerting is permanently suppressed
- Entries where lateSecs is permanently modified, or host=* AND alerting is permanently suppressed, or host=* AND lateSecs is permanently modified, or sourcetype=* AND host=* AND alerting is permanently suppressed
- Entries where index=* AND host=* AND alerting is permanently suppressed
- Entries where sourcetype=* AND alerting is permanently suppressed
- Entries where index=* AND alerting is permanently suppressed
- Entries where sourcetype=* AND lateSecs is permanently modified
- Entries where index=* AND lateSecs is permanently modified
- Entries where index=* AND sourcetype=* AND lateSecs is permanently modified
- Entries where index=* AND host=* AND lateSecs is permanently modified
- Entries where sourcetype=* AND host=* AND lateSecs is permanently modified