Field actions
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Field actions
Enable interactions between your indexed fields and other web resources via field_actions.conf. For example, enable a reverse lookup of an IP address. Edit field_actions.conf in $SPLUNK_HOME/etc/bundles/local/ and add a stanza to specify which host, uri and label to use for your custom field action. Once this is enabled, your label will be added to the drop down menu next to the field specified by the metaKeys attribute. Other attribute/value pairs are available for stanzas in field_actions.conf.
The "Show source" option is a type of field action, so it behaves similarly. If the host or source fields are not present then "Show source" will not be available from the pop-up menu next to the timestamp. If your field action does not appear, ensure the correct fields are visible by selecting them from the Fields menu.
NOTE: You must both restart your Splunk server and clear your browser's cache before any changes take place.
Configuration
[googleExample]
metaKeys=clientip
uri=http://google.com/search?q={$clientip}
label=Google this ip
method=GET
This example enables you to look up the clientip= field via Google. Once you have enabled the clientip field through the fields drop down menu, you can select the new Google this IP link from the drop down next to the clientip field.
[some_custom_search]
metaKeys = ruser,rhost
term=authentication failure | filter ruser={$ruser} rhost={$rhost}
label=Search for other break in attempts by this user
alwaysReplace=true
This example enables you to run another search for authentication failures on the ruser and rhost fields.
Learn more about field_actions.conf, including which other attribute/value pairs are available.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.