How Splunk Works

Overview of Splunk

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Transaction Types

Search

How search works
Set up saved searches
Set up saved searches via savedsearches.conf
Set up alerts via Splunk Web
Set up alerts via savedsearches.conf
Customize alert options
Form searches
Macro searches
Live Tail
Send syslog events
Send SNMP traps

Distributed Search

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Troubleshooting

Set up alerts via savedsearches.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

alerting options
display options
Script options
Example

Set up alerts via savedsearches.conf

Configure alerts with savedsearches.conf. Use the $SPLUNK_HOME/etc/system/README/savedsearches.conf.example as an example, or create your own savedsearches.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

alerting options

First, configure a saved search. Then, add the following attribute/value pairs to your saved search stanza to create an alert:

counttype = <string>

Set the type of count for alerting.
Possible values: number of events, number of hosts, number of sources, number of sourcetypes.

relation = <string>

How to compare against counttype.
Possible values: greater than, less than, equal to, drops by, rises by.

quantity = <integer>

Number to compare against the given counttype.

schedule = <string>

Cron style schedule (i.e. */12 * * * *).

action_rss = <integer>

Toggle whether or not to create an RSS link.
Possible values: 1/0 (1 to create, 0 to disable).

action_email = <string>

Comma delimited list of email addresses to send alerts to.

sendresults = <integer>

Whether or not to send the results along with the email/shell script.
Possible values: 1/0 (1 to send, 0 to disable).

execDelay = <integer>

Amount of time (in seconds) from most recent event to the execution of the scheduled search query.
Defaults to 0.

maxresults = <integer>

The maximum number of results the entire query pipeline can generate.
Defaults to 50000.

Note: This is different from specifying maxresults during a search (maxresults:: search modifier in older versions, or -maxresults in the CLI in versions 3.2 and above).

display options

Optionally set the display options for your saved search in savedsearches.conf. Here are the possible attribute/value pairs:

viewstate.resultView = reportView

The UI state for a saved search.
Can be either normalView or reportView.
normalView returns the SplunkWeb search interface.
reportView returns the report interface.

viewstate.chart.plotMode = column

Set the plot mode for a chart returned by a saved search.
Only valid when viewstate.resultView == reportView
Possible values: area, axis, bubble, column, donut, heatmap, legend, line, pie, scatter, stackedarea, stackedcolumn.

viewstate.prefs.selectedKeys = source host sourcetype

Space-delimited list of field to use.
Always auto-generated, but can be edited after the fact to include new fields.

Script options

Your alert can trigger a shell script. Use the following attribute/value pair:

action_script = <string>

Your search can trigger a shell script.
Specify the name of the shell script to run.
Place the script in $SPLUNK_HOME/bin/scripts.
Command line arguments passed to the script are:
$0 = script name.
$1 = number of events returned.
$2 = search terms.
$3 = fully qualified query string.
$4 = name of saved splunk.
$5 = trigger reason (i.e. "The number of events was greater than 1").
$6 = link to saved search.
$7 = a list of tags belonging to this saved search.
$8 = file where the results for this search are stored (contains raw results).

Note: If there are no saved tags, $7 becomes the name of the file containing the search results ($8).

All scripts must be shell scripts. If you want to run a script written in a different language (e.g. PERL, Python, VBScript) you must wrap it inside a shell script file which will interpret and pass Splunk's parameters to the script responsible for the heavy lifting. Specify the interpreter you want Splunk to use in the first line of your script, following the #!. For example:

to run a PERL script:

---- myscript.pl ----
#!/path/to/perl
......
......

to use Python to interpret the script file:

---- myscript.py -----
#!/path/to/python
.....
.....

For examples on how scripts can be configured to work with alerts, see send SNMP traps and send syslog events.

Example

This example runs a search for events containing the term "sudo" on a schedule, and sends the results via an RSS feed.

[sudoalert]
action_rss = 1
counttype = number of events
enableSched = 1
quantity = 0
search = sudo
relation = greater than
schedule = */12 * * * *
sendresults = 0
role = Admin

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.2.3/Admin/SetUpAlertsViaSavedsearchesconf"

« Set up alerts via Splunk Web Customize alert options »

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Admin Manual

Set up alerts via savedsearches.conf

Contents

Set up alerts via savedsearches.conf

alerting options

display options

Script options

Example

Comments