#   Version 9.2.2.20240415

[DeploymentServerClients]
search = | tstats count where index=_dsclient `filter_by_client_id("$clientId$")` by \
           data.build data.clientId data.connectionId data.dns data.guid data.hostname data.instanceId \
           data.instanceName data.ip data.mgmt data.name data.package data.packageType data.splunkVersion data.utsname datetime \
| rename data.* as * \
| dedup clientId sortby -datetime\
| join clientId type=inner max=1 [ \
    | search index=_dsphonehome earliest=$reloadTime$ `filter_by_client_id("$clientId$")` \
    | rename data.* as * \
    | search `filter_by_phonehome($minPhoneHomeTime$)` \
    | dedup 4 clientId \
    | stats list(lastPhoneHomeTime) as lastPhoneHomeTime latest(_time) as _time by clientId \
    | mvexpand lastPhoneHomeTime limit=4 \
    | delta lastPhoneHomeTime as phoneHomeInterval \
    | eval phoneHomeInterval = if (phoneHomeInterval < 0, 0 - phoneHomeInterval, null) \
    | stats latest(lastPhoneHomeTime) as lastPhoneHomeTime latest(updaterRunning) as updaterRunning avg(phoneHomeInterval) as averagePhoneHomeInterval by clientId \
    | eval actual_ratio=(now() - lastPhoneHomeTime) / averagePhoneHomeInterval \
    | search `filter_by_ratio("$greater_than$", $ratio$)` \
    | dedup clientId \
] \
| join clientId type=left max=0 [ \
    | search index=_dsappevent earliest=$reloadTime$ `filter_by_client_id("$clientId$")` \
    | rename data.* as * \
    | dedup key \
    | search `filter_by_app("$appName$")` `filter_by_serverclasses("$serverClassNames$")` \
      `filter_by_action("$action$")` `filter_by_checksum($checksum$)` `filter_by_error("$has_error$")` \
    | stats list(appName) as appName list(serverClassName) as serverClassName \
      list(action) as action list(result) as result list(failedReason) as failedReason \
      list(checksum) as checksum list(timestamp) as timestamp count(appName) as countApps by clientId \
    | eval appName=mvjoin(appName, "#") \
    | eval serverClassName=mvjoin(serverClassName, "#") \
    | eval action=mvjoin(action, "#") \
    | eval result=mvjoin(result, "#") \
    | eval failedReason=mvjoin(failedReason, "#") \
    | eval checksum=mvjoin(checksum, "#") \
    | eval timestamp=mvjoin(timestamp, "#") \
] \
| eval appName=split(appName, "#") \
| eval serverClassName=split(serverClassName, "#") \
| eval action=split(action, "#") \
| eval result=split(result, "#") \
| eval failedReason=split(failedReason, "#") \
| eval checksum=split(checksum, "#") \
| eval timestamp=split(timestamp, "#") \
| search `filter_by_app_count("$has_app_filter$")`

[DeploymentServerClientsBasic]
search = | tstats count where index=_dsclient by \
           data.build data.clientId data.connectionId data.dns data.guid data.hostname data.instanceId \
           data.instanceName data.ip data.mgmt data.name data.package data.splunkVersion data.utsname datetime\
| rename data.* as * \
| dedup clientId sortby -datetime\
| join clientId type=inner max=1 [search index=_dsphonehome earliest=$reloadTime$ \
    | rename data.* as * \
    | dedup clientId \
    | table clientId lastPhoneHomeTime \
] \
| eventstats count as total \
| head $offset_end$ \
| streamstats count as paginator \
| where paginator>$offset_start$ \

[DeploymentServerClientsByMachineType]
search = | search index=_dsclient earliest=0 | stats latest(data.utsname) as utsname by data.clientId | stats count as clients by utsname

[DeploymentServerAppEvents]
search = | search index=_dsappevent earliest=$reloadTime$ data.clientId IN ($clientIdList$) $result$\
| rename data.* as * \
| dedup key \
| stats list(appName) as appName list(serverClassName) as serverClassName \
  list(action) as action list(result) as result list(failedReason) as failedReason \
  list(checksum) as checksum list(timestamp) as timestamp count(appName) as countApps by clientId

[DeploymentServerRecentDownloads]
search = | search index=_dsappevent data.action!=Install earliest=$earliest$ \
         | stats latest(data.result) as result latest(data.action) as action by data.clientId data.serverClassName data.appName \
         | search result=Ok action=Download \
         | stats count as downloads

[DeploymentServerEventsWithError]
search = | search index=_dsappevent earliest=$reloadTime$ data.result != Ok \
         | rename data.* as * \
         | stats latest(failedReason) as failedReason latest(action) as action latest(timestamp) as timestamp by serverClassName, appName, clientId

[DeploymentServerHasDeploymentErrorsPerAppAndServerclass]
search = | search index= _dsappevent earliest=$reloadTime$ $result$ \
          $appName$ $serverClassNames$ data.action=Download OR data.action=Install \
         | dedup data.clientId | stats count as clients

[DeploymentServerGetPhonehomedClients]
search = | tstats dc(data.clientId) as clients where index=_dsphonehome earliest=$earliest$

[DeploymentServerLookupClient]
search = | search index=_dsclient data.clientId = $clientId$ \
         | rename data.* as * \
         | head 1

[DeploymentServerGetClientsUri]
search = | search index=_dsclient | strcat "https://" data.ip ":" data.mgmt uri \
         | stats latest(_time) as latesttime latest(uri) as clientUri by data.clientId