Live Splunk Integrations to other Apps
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Live Splunk Integrations to other Apps
Live Splunks can be configured to notify other applications in via script, RSS or email, and to optionally include the search results. Report Splunks can include a full report table.
RSS
RSS feeds use the format shown below. The link value is a permalink URL to run the Live Splunk now on the server.
<?xml version="1.0"?>
<rss version="2.0">
<channel>
<title>test</title>
<link>http:qa-fc4:8000/?events?q=meta%3a%3aall%20</link>
<description>Live,Splunk Feed for live splunk test</description>
<item>
<title>Query run from 0 To 1134079839</title>
<link>http:qa-fc4:8000/?events?q=meta%3a%3aall%20%20starttimeu%3a%3a0%20endtimeu%3a%3a1134079839</link>
<description> The Number of Events (1000) was Greater Than 1.</description>
<pubDate>1134079840</pubDate>
</item>
</channel>
</rss>
Shell Script
The splunkd process will run a configured alert script and pass it these parameters.
- $1 - A results summary in XML.
- $2 - The search terms for the Live Splunk.
- $3 - The fully qualified query string for the Live Splunk.
- $4 - The name of the Live Splunk.
- $5 - The reason the Live Splunk fired.
Alert messages use the format below. Outbound SMTP must be enabled on the Splunk Server's host.
From: livesplunk@splunk.enet.interfoo.net (Joe Admin) Date: November 16, 2005 3:19:23 PM PST To: admin-list@interfoo.net Subject: alert if fewer than 10. Live Splunk http:splunk.enet.interop.net:8000/?events?q=7%318989%32500%20m%69%6e%75t%65sago %3a%3a%310%20doma%69%6e%3a%3ad%65fa%75%6ct%20 triggered with the result : The Number of Events (0) was Less Than 10. Splunk Name : calls home last 10 minutes Query Terms : 7189892500 minutesago::10 index::default Auto-generated by Splunk Professional
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.