field_actions.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
field_actions.conf
field_actions.conf controls what actions are available in SplunkWeb inline with events.
field_actions.conf.spec
# Copyright (C) 2005-2007 Splunk Inc. All Rights Reserved. Version 3.0
# This file contains possible attribute and value pairs for field_actions.conf.
#
# SplunkWeb must be restarted when you make changes.
# Additionally, you must clear your browser cache.
# In Firefox this is Tools > Clear Private Data >
# If you are experiencing errors, check $SPLUNK_HOME/var/log/splunk/web_service.log.
# A configuration looks like:
[<field_action_name>]
metaKeys = foo,bar
uri = http://google.com?q={$foo}+{$bar}+{$baz}
label="search for foo,bar,baz in google"
# Attribute/value pairs:
metaKeys = <string>
* Comma-separated list of metadata keys that are required for the action to display in SplunkWeb.
* Keys listed in metaKeys are then usable in the uri field.
uri = <string>
* URI, either beginning with http:// or https://
* Alternately, for URLs on the Splunk front-end, beginning with "/".
* This URI will load when the user clicks on the action in SplunkWeb.
target = <string>
* Only meaningful if URI is present.
* If set to _self, the URI loads in the current window.
* If set to _blank, URI opens in a new window.
* If set to fooWindow, the URI opens in any window named fooWindow or in a new window if none exists.
method = <string>
* Only meaningful if uri is present.
* Can be set to either GET or POST.
* The HTTP method that should be used with the given URI.
payload = <string>
* Only meaningful if method is set to POST.
* This method allows the user to customize the values passed
* Please note: key value pairs are separated with an &: event={$_raw}&myhost={$host}.
term = <string>
* An alternative to uri.
* If present, the action becomes a search in Splunk.
* Assuming you have metaKeys rhost and ruser, you can search term=<string> {$rhost} {$ruser}.
* The search string will run whenever a user clicks the field action.
alwaysReplace = <true/false>
* For use with the term field.
* If present and set to true, term will replace the current search instead of appending to it.
field_actions.conf.example
# Copyright (C) 2005-2007 Splunk Inc. All Rights Reserved. Version 3.0
#
# This file contains is an example field_actions.conf.
#
# SplunkWeb must be restarted when you make changes.
# Additionally, you must clear your browser cache.
# In Firefox this is Tools > Clear Private Data >
# If you are experiencing errors, check $SPLUNK_HOME/var/log/splunk/web_service.log.
# This example searches an IP on google:
[googleExample]
metaKeys=ip
uri=http://google.com/search?q={$ip}
label=Google this ip
method=GET
# This example does a reverse look up on an IP address:
[WAN_ReverseLookup]
metaKeys=ip
uri=http://www.networksolutions.com/enhancedWHOIS.do?queryString={$ip}&method-submit=&successPage=%2Fwhois%2Fresults.jsp&errorPage=%2Fwhois%2Findex.jsp&fatalErrorPage=%2Fcommon%2Ferror.jsp&queryType=ip&STRING2.x=26&STRING2.y=12¤tPage=%2Fwhois%2Findex.jsp
label=Reverse look up this IP
# This example jumps to a bug in Jira:
[Jira]
metaKeys=jira
uri=http://10.1.1.10:8080/browse/SPL-{$jira}
label=Go to Bug in Jira
target=_blank
# This example goes to commit in Perforce web:
[P4Web]
metaKeys=p4
http://perforce:8800/@md=d&cd=//&c=dmm@/{$p4}?ac=10
label=Go to commit in P4Web
# This example performs a geolocation on an IP address:
[IP2Location]
metaKeys=ip
uri=http://www.ip2location.com/{$ip}
label=Geolocate this IP
# This example runs a custom search in SplunkWeb:
[some_custom_search]
metaKeys = ruser,rhost
term=authentication failure | where ruser={$ruser} rhost={$rhost}
label=Search for other breakin attempts by this user
alwaysReplace=true
# This example looks up your event on SplunkBase
[SplunkBaseLookup]
metaKeys=_raw, host
uri=http://www.splunkbase.com/
label=Search SplunkBase
target=splunkbase
method=POST
payload= event={$_raw}&myhost={$host}
# Links for other useful field actions:
#-- IP ADDRESS LINKS
#http://www.dnsstuff.com/tools/ptr.ch?ip={$ip}
#http://www.dnsstuff.com/tools/tracert.ch?ip={$ip}
#http://www.completewhois.org/cgi-bin/whois.cgi?query_type=auto&ip_whoislookup_cyberabuse=ON&ip_nameservers_hostlookup=ON&query={$ip}
#http://www.senderbase.org/search?oOrder=lastday%20desc&searchString={$ip}%2F24
#http://spamcop.net/w3m?action=checkblock&ip={$ip}
#http://www.google.com/search?q={$ip} -- sometimes useful to do a quick search on an IP address on Google
#http://groups.google.com/groups?q={$ip} -- you can search groups, blogs, whatever...
#http://spamcop.net/sc?track={$ip}
#http://clez.net/net.whois?ip={$ip}&t=ip
#http://www.melissadata.com/Lookups/iplocation.asp?ipaddress{$ip}
#-- HOST LINKS
#http://www.statsaholic.com/nagios.org?y=r&r=1y&z=10
#-- OTHER IDEAS
#windows eventID link http://www.eventid.net/display.asp?eventid=5781&source=netlogon
#IP2Location http://www.ip2location.com/demo.aspx
This documentation applies to the following versions of Splunk: 3.1.4 View the Article History for its revisions.