.. _macros: Macros ====== bh_stats_gen_constraints ------------------------ The ``bh_stats_gen_constraints`` macro is used to control what data is examined by the ``bh_stats_gen`` search when generating the metrics used by the alerting searches. The default behavior is to exclude all data in the summary index, and all data from the stash sourcetype, but include all other data. **NOTE**: This macro is used within a ``tstats`` command, and therefore the macro's must be valid ``tstats`` syntax. bh_stats_gen_additions ---------------------- The ``bh_stats_gen_additions`` macro is used to insert arbitrary SPL into the ``bh_stats_gen`` search in order to transform data before it is written to the summary index. Example: use ``eventstats`` and ``eval`` statements to calculate custom metrics to be stored in the summary data. bh_alert_additions ------------------ The ``bh_alert_additions`` macro is used to insert arbitrary SPL into the alerting searches, in order to transform data before it is written to the summary index. Example: Apply subsearch logic from a monitoring system to automatically exclude hosts that are known to be offline default_contact --------------- The ``default_contact`` macro is used only for the ``Broken Hosts Alert - by contact`` search. It is used to set the default email address for items that don’t have a separate contact listed in the ``contact`` column of the lookup table. default_expected_time --------------------- The ``default_expected_time`` macro is used to set a default ``lateSecs`` value for things not defined in the lookup. The ``lateSecs`` value tells Broken Hosts how long a specific source of data is allowed to go without sending data before an alert should be triggered. This setting is in seconds, and defaults to 14400 (4 hours). bh_linuxoslog_index ------------------- Sets the default index for Linux OS logs for the Tuning/Investigation Dashboard. Defaults to index=os bh_wineventlog_index -------------------- Sets the default index for Windows for the Tuning/Investigation Dashboard. Defaults to index=wineventlog bh_volume_alerting_indexes -------------------------- The ``bh_volume_alerting_indexes`` macro is used in the searches ``Broken Hosts Alert - Volume Alerting`` and ``Broken Hosts Alert - Volume Alerting with Seasonality``. It contains a comma separated list of indexes. bh_expectedTime_lookup ---------------------- The ``bh_expectedTime_lookup`` macro is used in searches and dashboard to perform in order matching of entries in the ``expectedTime`` lookup to the results found in the ``bh_summary index`` bh_expectedTime_lookup_contact ------------------------------ The ``bh_expectedTime_lookup_contact`` macro is used in the search ``Broken Hosts Alert - by contact`` to perform in order matching of entries in the ``expectedTime`` lookup to the results found in the ``bh_summary index``