Fix validation issues: macros, alerts, indexes, and documentation

Fixes:
- indexes.conf: Remove empty coldToFrozenDir that caused invalid config
- macros.conf: Fix return syntax (add closing $ to $setting_value$)
- macros.conf: Change first() to sum() for metric aggregation in 4 macros
  (get_all_dashboards_summary, get_all_dashboards_summary_timerange,
  get_problematic_dashboards, get_dashboard_engagement_scores)
- macros.conf: Use settings lookup for engagement scoring weights
- savedsearches.conf: Fix alerts to not truncate results with head 1
- README.md: Correct statement about enabled searches

https://claude.ai/code/session_014YNv3fKbpjQB5eMZCrHwzi

Author: claude

README.md

@@ -639,7 +639,7 @@ We welcome contributions for any of these roadmap items or new feature ideas. Pl
 - Better error handling in all collectors
 - More robust field extraction in data collection
 - Improved performance with tsidx reduction enabled
-- All scheduled searches now enabled by default
+- Core data collection searches enabled by default (alerts and reports disabled by default)
 
 #### Breaking Changes
 - App version bumped from 0.0.1 to 1.0.0

default/indexes.conf

@@ -11,8 +11,7 @@ thawedPath = $SPLUNK_DB/caca_metrics/thaweddb
 # Adjust based on your retention requirements
 frozenTimePeriodInSecs = 31536000
 
-# Roll buckets to cold after 30 days for storage efficiency
-coldToFrozenDir =
+# Bucket management settings
 maxWarmDBCount = 300
 
 # Enable tsidx reduction for better metric performance

default/macros.conf

@@ -17,7 +17,7 @@ iseval = 0
 [caca_get_setting(1)]
 args = setting_name
 definition = | inputlookup caca_settings where setting_name="$setting_name$" \
-| return $setting_value
+| return $setting_value$
 iseval = 0
 
 #####################
@@ -64,10 +64,8 @@ definition = | mstats sum(_value) as metric_value WHERE index=caca_metrics AND m
     metric_name=="dashboard.load_time", "load_time_7d",\
     1=1, "other") \
 | eval {metric_type}=total_value \
-| stats values(app) as app first(views_7d) as views_7d first(edits_7d) as edits_7d first(errors_7d) as errors_7d avg(load_time_7d) as avg_load_time_7d by pretty_name \
+| stats values(app) as app sum(views_7d) as views_7d sum(edits_7d) as edits_7d sum(errors_7d) as errors_7d avg(load_time_7d) as avg_load_time_7d by pretty_name \
 | fillnull value=0 views_7d edits_7d errors_7d avg_load_time_7d \
-| lookup caca_settings setting_name AS tmp OUTPUT setting_value AS tmp2 \
-| lookup caca_settings setting_name OUTPUT setting_value \
 | appendpipe [| inputlookup caca_settings | eval {setting_name}=setting_value | stats values(*) as * | eval _merge="settings"] \
 | eventstats values(error_threshold_warning) as _warn_thresh values(error_threshold_critical) as _crit_thresh \
 | where isnotnull(pretty_name) \
@@ -92,7 +90,7 @@ definition = | mstats sum(_value) as metric_value WHERE index=caca_metrics AND m
     metric_name=="dashboard.load_time", "load_time",\
     1=1, "other") \
 | eval {metric_type}=total_value \
-| stats values(app) as app first(views) as views first(edits) as edits first(errors) as errors avg(load_time) as avg_load_time by pretty_name \
+| stats values(app) as app sum(views) as views sum(edits) as edits sum(errors) as errors avg(load_time) as avg_load_time by pretty_name \
 | fillnull value=0 views edits errors avg_load_time
 iseval = 0
 
@@ -229,7 +227,7 @@ definition = | mstats sum(_value) as metric_value WHERE index=caca_metrics AND m
     metric_name=="dashboard.load_time", "load_time_7d",\
     1=1, "other") \
 | eval {metric_type}=total_value \
-| stats values(app) as app first(views_7d) as views_7d first(edits_7d) as edits_7d first(errors_7d) as errors_7d avg(load_time_7d) as avg_load_time_7d by pretty_name \
+| stats values(app) as app sum(views_7d) as views_7d sum(edits_7d) as edits_7d sum(errors_7d) as errors_7d avg(load_time_7d) as avg_load_time_7d by pretty_name \
 | fillnull value=0 views_7d edits_7d errors_7d avg_load_time_7d \
 | eval health_status=case(\
     errors_7d > 10, "critical",\
@@ -297,10 +295,15 @@ definition = | mstats sum(_value) as metric_value WHERE index=caca_metrics AND m
     metric_name=="dashboard.errors", "errors",\
     1=1, "other") \
 | eval {metric_type}=total \
-| stats values(app) as app first(views) as views_30d first(edits) as edits_30d first(errors) as errors_30d by pretty_name \
+| stats values(app) as app sum(views) as views_30d sum(edits) as edits_30d sum(errors) as errors_30d by pretty_name \
 | fillnull value=0 views_30d edits_30d errors_30d \
-| eval engagement_score=views_30d + (edits_30d * 2) - (errors_30d * 5) \
+| appendpipe [| inputlookup caca_settings | eval {setting_name}=setting_value | stats values(*) as * | eval _merge="settings"] \
+| eventstats values(engagement_edit_weight) as _edit_weight values(engagement_error_penalty) as _error_penalty \
+| where isnotnull(pretty_name) \
+| eval _edit_weight=coalesce(_edit_weight, 2), _error_penalty=coalesce(_error_penalty, 5) \
+| eval engagement_score=views_30d + (edits_30d * _edit_weight) - (errors_30d * _error_penalty) \
 | eval engagement_score=if(engagement_score < 0, 0, engagement_score) \
+| fields - _edit_weight _error_penalty _merge \
 | sort -engagement_score \
 | lookup dashboard_registry pretty_name OUTPUT owner description
 iseval = 0

default/savedsearches.conf

@@ -213,11 +213,10 @@ dispatch.latest_time = now
 enableSched = 0
 search = | mstats sum(_value) as error_count WHERE index=caca_metrics AND metric_name="dashboard.errors" BY pretty_name, app span=1h \
 | stats sum(error_count) as total_errors by pretty_name, app \
-| lookup caca_settings setting_name OUTPUT setting_value \
-| head 1 \
-| appendpipe [| inputlookup caca_settings where setting_name="error_threshold_critical" | head 1] \
+| appendpipe [| inputlookup caca_settings where setting_name="error_threshold_critical" | eval _merge="settings"] \
 | eventstats values(setting_value) as critical_threshold \
 | where isnotnull(pretty_name) AND total_errors >= coalesce(critical_threshold, 10) \
+| fields - critical_threshold _merge setting_name setting_value setting_description \
 | lookup dashboard_registry pretty_name OUTPUT owner \
 | table pretty_name app owner total_errors
 schedule_priority = default
@@ -238,12 +237,11 @@ dispatch.latest_time = now
 enableSched = 0
 search = | mstats avg(_value) as avg_load WHERE index=caca_metrics AND metric_name="dashboard.load_time" BY pretty_name, app span=1h \
 | stats avg(avg_load) as avg_load_time by pretty_name, app \
-| lookup caca_settings setting_name OUTPUT setting_value \
-| head 1 \
-| appendpipe [| inputlookup caca_settings where setting_name="load_time_critical" | head 1] \
+| appendpipe [| inputlookup caca_settings where setting_name="load_time_critical" | eval _merge="settings"] \
 | eventstats values(setting_value) as critical_threshold \
 | where isnotnull(pretty_name) AND avg_load_time >= coalesce(critical_threshold, 10000) \
 | eval avg_load_time=round(avg_load_time, 0) \
+| fields - critical_threshold _merge setting_name setting_value setting_description \
 | lookup dashboard_registry pretty_name OUTPUT owner \
 | table pretty_name app owner avg_load_time
 schedule_priority = default