Documentation > Splunk > Admin Manual > alert_actions.conf

Admin Manual

 


About the Splunk Admin Manual
How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Alerts
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

alert_actions.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

alert_actions.conf

Alert_actions.conf controls parameters for available alerting actions for scheduled searches.

alert_actions.conf.spec 

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0
#
# This file contains possible attributes and values for configuring global saved search actions and 
# in alert_actions.conf.  Saved searches are configured in savedsearches.conf.
#
# There is an alert_actions.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place an alert_actions.conf in $SPLUNK_HOME/etc/system/local/.  For examples, see 
# alert_actions.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
################################################################################
# Global options: these settings do not need to be prefaced by a stanza name
# If you do not specify an entry for each attribute, Splunk will use the default value.
################################################################################
maxresults = <int>
        * Set the global maximum number of search results sent via alerts.
        * Defaults to 100.
hostname = <string>
        * Set the hostname that is displayed in the link sent in alerts.
        * This is useful when the machine sending the alerts does not have a FQDN. 
        * Defaults to current hostname (set in Splunk) or localhost (if none is set).
################################################################################
# EMAIL: these settings are prefaced by the [email] stanza name
################################################################################
[email]
        * Set email notification options under this stanza name.
        * Follow this stanza name with any number of the following attribute/value pairs.  
        * If you do not specify an entry for each attribute, Splunk uses the default value.
        
from = <string>
     * Email address originating alert.
     * Defaults to splunk@$LOCALHOST.
subject = <string>
     * Specify an alternate email subject.
     * Defaults to SplunkAlert-<savedsearchname>.  
format = <string>
     * Specify the format of text in the email.
      * Possible values:  plain, html, raw and csv.    
     * This value will also apply to any attachments. 
inline = <true | false | auto>
        * Specify whether the search results are contained in the body of the alert email.
        * Defaults to false.
mailserver = <string>
        * The SMTP mail server to use when sending emails.
        * Defaults to $LOCALHOST.
################################################################################
# RSS: these settings are prefaced by the [rss] stanza
################################################################################
[rss]
        * Set rss notification options under this stanza name.
        * Follow this stanza name with any number of the following attribute/value pairs.  
        * If you do not specify an entry for each attribute, Splunk uses the default value.
items_count = <number>
     * Number of saved RSS feeds.
     * Cannot be more than maxresults (in [email] stanza).
     * Defaults to 30.
################################################################################
# summary_index: these settings are prefaced by the [summary_index] stanza
################################################################################
[summary_index]
        * Set summary index options under this stanza name.
        * Follow this stanza name with any number of the following attribute/value pairs.
        * NOTE: For best practice, set up summary indexing via Splunk Web.
        
command = <string>
        * Command that triggers the summary indexing action.
        * CAUTION: This attribute is set automatically when you configure summary indexing in Splunk Web.
                * Configure summary indexing via Splunk Web to avoid any mistakes.

alert_actions.conf.example 

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0
#
# This is an example alert_actions.conf.  Use this file to configure alert actions for saved searches.
#
# To use one or more of these configurations, copy the configuration block into alert_actions.conf 
# in $SPLUNK_HOME/etc/system/local/.  You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
[email]
from = <email address>
        # Set a custom from email address.
subject = <custom subject>
        # By default, the subject is SplunkAlert-<splunk-name>, but you can set a custom subject here.
format = <html, plain, csv>
        # Specify the format of the text in the email.
        # Possible values: html, plain, csv.
[rss]
items_count=30
        # Set the threshold of rss feeds.
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.3.3/Admin/Alertactionsconf"

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!