expectedTime ============ Using expectedTime ------------------ The easiest way to update expectedTime is via the ``Configure Tunings`` dashboard. There are six fields used in this lookup table (all fields are case *insensitive*): - ``index`` - The index for the data that you would like to match - this field does accept wildcards - this field is required - ``sourcetype`` - The sourcetype for the data that you would like to match - this field does accept wildcards - this field is required - ``host`` - The host for the data that you would like to match - this field does accept wildcards - this field is required - ``lateSecs`` - The amount of time (in seconds) that the index/sourcetype/host combination is allowed to be late before it alerts - this field is required - ``contact`` - The email address where you would like the alert to be sent - if this is blank, the email address from the default_contact macro will be used - this field is optional - ``comments`` - Any comments that you would like to add for that line of the lookup table. This information is not used in the alert. This field is typically used to record information about why the entry is needed, when it was added, who added it, or any other details. This field is optional Ordering -------- Ordering of entries in the Broken Hosts Lookup is important, but the Broken Hosts App ships with a saved search that will re-order the lookup table in a logical way. As a result of several years analyzing expected behavior across our customers. \* means wildcard For Version 5 and above: 1. index!=\* AND sourcetype!=\* AND host!=\* 2. index!=\* AND sourcetype!=\* AND host==\* 3. index!=\* AND sourcetype==\* AND host!=\* 4. index==\* AND sourcetype!=\* AND host!=\* 5. index==\* AND sourcetype==\* AND host!=\* 6. index==\* AND sourcetype!=\* AND host==\* 7. index!=\* AND sourcetype==\* AND host==\* 8. Comments field starts with "default entry" 9. index==\* AND sourcetype==\* AND host==\* For Versions below 5: 1. Entries where index=\* AND sourcetype=\* AND alerting is temporarily suppressed 2. Entries where sourcetype=\* AND alerting is temporarily suppressed 3. Entries where index=\* AND alerting is temporarily suppressed 4. Entries where host=\* AND alerting is temporarily suppressed 5. Entries where index=\* AND host=\* AND alerting is temporarily suppressed 6. Entries where sourcetype=\* AND host=\* AND alerting is temporarily suppressed 7. Entries where alerting is temporarily suppressed 8. Entries where index=\* AND sourcetype=\* AND alerting is permanently suppressed 9. Entries where lateSecs is temporarily modified 10. Entries where sourcetype=\* AND lateSecs is temporarily modified 11. Entries where index=\* AND lateSecs is temporarily modified 12. Entries where host=\* AND lateSecs is temporarily modified 13. Entries where index=\* AND sourcetype=\* AND lateSecs is temporarily modified 14. Entries where index=\* AND host=\* AND lateSecs is temporarily modified 15. Entries where sourcetype=\* AND host=\* AND lateSecs is temporarily modified 16. Entries where alerting is permanently suppressed 17. Entries where lateSecs is permanently modified, or host=\* AND alerting is permanently suppressed, or host=\* AND lateSecs is permanently modified, or sourcetype=\* AND host=\* AND alerting is permanently suppressed 18. Entries where index=\* AND host=\* AND alerting is permanently suppressed 19. Entries where sourcetype=\* AND alerting is permanently suppressed 20. Entries where index=\* AND alerting is permanently suppressed 21. Entries where sourcetype=\* AND lateSecs is permanently modified 22. Entries where index=\* AND lateSecs is permanently modified 23. Entries where index=\* AND sourcetype=\* AND lateSecs is permanently modified 24. Entries where index=\* AND host=\* AND lateSecs is permanently modified 25. Entries where sourcetype=\* AND host=\* AND lateSecs is permanently modified 26. Default entries bh_suppressions =============== Using bh_suppressions --------------------- The easiest way to update bh_suppressions is via the ``Configure Suppressions`` dashboard. There are six fields used in this lookup table (all fields are case *insensitive*): - ``index`` - The index for the data that you would like to match - this field does accept wildcards - this field is required - ``sourcetype`` - The sourcetype for the data that you would like to match - this field does accept wildcards - this field is required - ``host`` - The host for the data that you would like to match - this field does accept wildcards - this field is required - ``suppressUnil`` - The date which the suppression should expire, in the format YYYY-MM-DD. An entry of 0 means the data source is permanently suppressed - ``contact`` - The email address where you would like the alert to be sent - if this is blank, the email address from the default_contact macro will be used - this field is optional - ``comments`` - Any comments that you would like to add for that line of the lookup table. This information is not used in the alert. This field is typically used to record information about why the entry is needed, when it was added, who added it, or any other details. This field is optional.