field_actions.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
field_actions.conf
field_actions.conf controls what actions are available in SplunkWeb inline with events.
field_actions.conf.spec
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0
#
# This file contains possible attribute and value pairs for creating field actions: drop-down
# actions in SplunkWeb. You can configure field actions by creating your own field_actions.conf.
# There is a field_actions.conf in $SPLUNK_HOME/etc/bundles/default/. To set custom configurations,
# place a field_actions.conf in your own custom bundle directory.
#
# NOTE: SplunkWeb must be restarted when you make changes to this file.
# Additionally, you must clear your browser cache.
# In Firefox, go to Tools > Clear Private Data >
# If you are experiencing errors, check $SPLUNK_HOME/var/log/splunk/web_service.log.
[<field_action_name>]
* Set field action options under this stanza name.
* Follow this stanza name with any number of the following attribute/value pairs.
metaKeys = <string>
* Comma-separated list of metadata keys that are required for the action to display in SplunkWeb.
* Keys listed in metaKeys are then usable in the uri field.
uri = <string>
* URI, either beginning with http:// or https://.
* Alternately, for URLs in SplunkWeb, beginning with "/".
* This URI will load when the user clicks on the action in SplunkWeb.
target = <string>
* Only meaningful if URI is present.
* If set to _self, the URI loads in the current window.
* If set to _blank, URI opens in a new window.
* If set to fooWindow, the URI opens in any window named fooWindow or in a new window if none exists.
method = <string>
* The HTTP method that should be used with the given URI.
* Can be set to either GET or POST.
* Only meaningful if URI is present.
payload = <string>
* Only meaningful if method is set to POST.
* This method allows the user to customize the values passed.
* IMPORTANT: Key value pairs are separated with an &
* For example, event={$_raw}&myhost={$host}.
term = <string>
* An alternative to URI.
* If present, the action becomes a search in Splunk.
* Assuming you have metaKeys rhost and ruser, you can search term=<string> {$rhost} {$ruser}.
* The search string will run whenever a user clicks the field action.
alwaysReplace = <true/false>
* For use with the term field.
* If present and set to true, term will replace the current search instead of appending to it.
field_actions.conf.example
# This file contains an example field_actions.conf. Use this file to configure field actions.
#
# To use one or more of these configurations, copy the configuration block into
# fields_actions.conf in your own custom bundle.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.
#
# NOTE: SplunkWeb must be restarted when you make changes to this file.
# Additionally, you must clear your browser cache.
# In Firefox this is Tools > Clear Private Data >
# If you are experiencing errors, check $SPLUNK_HOME/var/log/splunk/web_service.log.
# This example searches an IP on Google:
[googleExample]
metaKeys=ip
uri=http://google.com/search?q={$ip}
label=Google this ip
method=GET
# This example does a reverse look up on an IP address:
[WAN_ReverseLookup]
metaKeys=ip
uri=http://www.networksolutions.com/enhancedWHOIS.do?queryString={$ip}&method-submit=&successPage=%2Fwhois%2Fresults.jsp&errorPage=%2Fwhois%2Findex.jsp&fatalErrorPage=%2Fcommon%2Ferror.jsp&queryType=ip&STRING2.x=26&STRING2.y=12¤tPage=%2Fwhois%2Findex.jsp
label=Reverse look up this IP
# This example jumps to a bug in Jira:
[Jira]
metaKeys=jira
uri=http://10.1.1.10:8080/browse/SPL-{$jira}
label=Go to Bug in Jira
target=_blank
# This example goes to commit in Perforce web:
[P4Web]
metaKeys=p4
http://perforce:8800/@md=d&cd=//&c=dmm@/{$p4}?ac=10
label=Go to commit in P4Web
# This example performs a geolocation on an IP address:
[IP2Location]
metaKeys=ip
uri=http://www.ip2location.com/{$ip}
label=Geolocate this IP
# This example runs a custom search in SplunkWeb:
[some_custom_search]
metaKeys = ruser,rhost
term=authentication failure | filter ruser={$ruser} rhost={$rhost}
label=Search for other breakin attempts by this user
alwaysReplace=true
# This example looks up your event on SplunkBase
[SplunkBaseLookup]
metaKeys=_raw, host
uri=http://www.splunkbase.com/
label=Search SplunkBase
target=splunkbase
method=POST
payload= event={$_raw}&myhost={$host}
# Links for other useful field actions:
#-- IP ADDRESS LINKS
#http://www.dnsstuff.com/tools/ptr.ch?ip={$ip}
#http://www.dnsstuff.com/tools/tracert.ch?ip={$ip}
#http://www.completewhois.org/cgi-bin/whois.cgi?query_type=auto&ip_whoislookup_cyberabuse=ON&ip_nameservers_hostlookup=ON&query={$ip}
#http://www.senderbase.org/search?oOrder=lastday%20desc&searchString={$ip}%2F24
#http://spamcop.net/w3m?action=checkblock&ip={$ip}
#http://www.google.com/search?q={$ip} -- sometimes useful to do a quick search on an IP address on Google
#http://groups.google.com/groups?q={$ip} -- you can search groups, blogs, whatever...
#http://spamcop.net/sc?track={$ip}
#http://clez.net/net.whois?ip={$ip}&t=ip
#http://www.melissadata.com/Lookups/iplocation.asp?ipaddress{$ip}
#-- HOST LINKS
#http://www.statsaholic.com/nagios.org?y=r&r=1y&z=10
#-- OTHER IDEAS
#windows eventID link http://www.eventid.net/display.asp?eventid=5781&source=netlogon
#IP2Location http://www.ip2location.com/demo.aspx
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.