Documentation > Splunk > Admin Manual > field_actions.conf

Admin Manual

 


Getting Started
How Splunk Works
Configuring a Splunk Deployment
Data Inputs
Hosts
Source Types
Timestamp Recognition
Events
Event Types
Meta Events
Fields
Segmentation
Saved Searches and Alerts
Authentication
Granular Access Control
Data Distribution
Distributed Search
Deployment Server
Index Management
Bundles
SplunkBase
Performance Tuning
Routine Maintenance
How-To
Troubleshooting
Reference

field_actions.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

field_actions.conf

Field_actions.conf controls what actions are available in Splunk Web inline with events.


To edit this configuration for your local Splunk server, make your edits in $SPLUNK_HOME/etc/bundles/local/field_actions.conf.


You can create this file by copying examples from $SPLUNK_HOME/etc/bundles/README/field_actions.conf.example.


Never edit files in our default bundle in $SPLUNK_HOME/etc/bundles/default or your changes may be overwritten in an upgrade.


field_actions.conf.spec 

# This file contains all possible options for a "field_actions" file.
#
# SplunkWeb must be restarts when you make changes.  Check the 
# web_service.log to catch errors in your stanzas.
# A configuration looks like:
[<field_action_name>]
metaKeys = foo,bar
uri = http://google.com?q={$foo}+{$bar}+{$baz}
label="search for foo,bar,baz in google"
metaKeys = <string>
  * Comma-separated list of metadata keys that are required for the action to display in the SplunkWeb. 
    Keys whose names are present in the metaKeys list are then usable in the uri field.
uri = <string> 
  * URI, either beginning with http://,  https://, or for URLs on the Splunk front-end, beginning with "/". 
    If present, the user clicking on the action in the SplunkWeb, will result in them loading this URL. 
target = <string>
  * Only meaningful if uri is present, if set to _self,  the webapp will load in the current window. If set to _blank, it'll open a new window. If set to fooWindow, will reuse any window named fooWindow and open a new window if no such window exists. 
method = <string> (GET)
  * Only meaningful if uri is present. This can be either GET or POST, and is the HTTP method that should be used with the given url. 
payload = <string>
  * only meaningful for POST methods.  This is a method for allowing the user to customize the values passed over, event={$_raw}&myhost={$host} ... key value pairs are separated with &.
term = <string>
  * An alternative to uri. If present, the action becomes a search action.   Assuming you had metaKeys values of rhost and ruser, you could have term=authentication failure {$rhost} {$ruser}. 
  When clicked, it will run the given search.
  
alwaysReplace = true
  * This should be true or not in the stanza.  If it is present and set to true, the term will replace the current search bar term instead of appending it to the search.
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.1.1/Admin/Fieldactionsconf"

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!