Send syslog events
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Send syslog events
You can configure Splunk to send alerts to syslog. This is useful if you already have syslog set up to send alerts to other applications, and you want Splunk's alerts to be included.
Configuration
Write a script that calls logger (or any other program that writes to syslog). Your script can call any number of the variables your alert returns.
Possible variable options include:
$1 - number of events returned when search run $2 - searched terms saved at the time saved search was created $3 - fully qualified query string, the way query is run internally $4 - saved search name $5 - trigger reason for the alert $6 - encoded http link to the saved search results $7 - tags that have been saved against this saved search, if there are any.
Now write an alert that calls your script. See Set Up Alerts for information on alert configuration. Configure the alert to call your script by specifying the path in the Trigger shell script field of the alert.
Example
Create the following script and make it executable:
logger $5
Put your script in $SPLUNK_HOME/bin/scripts.
Edit your saved search to call the script. If your script is in $SPLUNK_HOME/bin/scripts you don't have to specify the full path.
This logs the trigger reason to syslog:
Aug 15 15:01:40 localhost logger: Saved Search [j_myadmin]: The number of events(65) was greater than 10
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.