[all_alerts]

definition = tstats values(all_alerts.alert) as alert, values(all_alerts.title) as title, values(all_alerts.app) as app, values(all_alerts.event_search) as event_search, values(all_alerts.search) as search, values(all_alerts.impact) as impact, values(all_alerts.earliest) as earliest, values(all_alerts.latest) as latest, count from datamodel="alert_manager" where nodename="all_alerts" by all_alerts.job_id, all_alerts.incident_id, all_alerts.result_id, _time | rename all_alerts.incident_id as incident_id, all_alerts.job_id as job_id, all_alerts.result_id as result_id| sort - _time | lookup incidents incident_id OUTPUTNEW alert, title, owner, status, impact, urgency | eval title=if(isnull(title) OR title="",alert,title) | lookup alert_priority impact, urgency OUTPUT priority | lookup incident_settings alert OUTPUT category, subcategory, tags, display_fields | lookup alert_status status OUTPUT status_description | fillnull value="" tags, category, subcategory | eval tags=if(tags=="","[Untagged]",tags) | makemv delim=" " tags

iseval = 0

[all_alerts_single_trend(2)]

args = earliest, latest

#definition = tstats values(all_alerts.alert) as alert values(all_alerts.label) as alert values(all_alerts.severity) as severity count from datamodel="alert_manager" where nodename="all_alerts" earliest="$earliest$" latest="$latest$" by all_alerts.incident_id |rename all_alerts.incident_id as incident_id | lookup incidents incident_id OUTPUT priority | fillnull value=unknown priority |

definition = tstats count from datamodel="alert_manager" where nodename="all_alerts" earliest="$earliest$" latest="$latest$" by all_alerts.incident_id | rename all_alerts.incident_id AS incident_id | lookup incidents incident_id OUTPUT impact, urgency | lookup alert_priority impact, urgency OUTPUT priority | fields priority

iseval = 0

[all_alerts_single_trend]

definition = tstats count from datamodel="alert_manager" where nodename="all_alerts" by all_alerts.incident_id, _time | rename all_alerts.incident_id AS incident_id | lookup incidents incident_id OUTPUT impact, urgency | lookup alert_priority impact, urgency OUTPUT priority | table _time, count, priority

iseval = 0

[all_alerts_pivot]

definition = pivot alert_manager all_alerts SPLITROW _time PERIOD auto SPLITROW label AS alert SPLITROW app SPLITROW incident_id SPLITROW event_search SPLITROW search SPLITROW severity SPLITROW earliest SPLITROW latest ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1 | sort - _time | lookup incidents incident_id OUTPUT |lookup incident_settings alert OUTPUT category, subcategory, priority |lookup alert_urgencies severity, priority OUTPUT urgency

iseval = 0

[incident_history(1)]

args = incident_id

definition = eventtype=incident_change incident_id="$incident_id$" | sort - _time | eval previous_value=coalesce(previous_status, previous_owner, previous_urgency) | eval attribute=case(isnotnull(owner),"owner",isnotnull(urgency),"urgency",isnotnull(status),"status") | eval attribute_val=case(isnotnull(owner),owner,isnotnull(urgency),urgency,isnotnull(status),status) | eval suppression_rules=if(isnotnull(suppression_rule),mvjoin(suppression_rule,", "),"") | eval details=case(action="auto_previous_resolve","Incident resolved by system (because of a new incident)",action="auto_ttl_resolve","Incident resolved by system (TTL reached)",action="create","Incident created",action="change",attribute + " has been changed from '" + previous_value + "' to '" + attribute_val+"'", action="suppress", "Incident suppressed by rules: " + suppression_rule, action="auto_suppress_resolve", "Incident auto-suppressed by rules: " + suppression_rule, action="comment", "Comment added") | table _time, user, action, details, comment

[incident_details(2)]

args = incident_id, fields

definition = loadincidentresults $incident_id$ | fields $fields$ | table $fields$ | transpose | rename column AS Key, "row 1" AS Value, "row 2" AS "Value 2", "row 3" AS "Value 3", "row 4" AS "Value 4", "row 5" AS "Value 5",

iseval = 0