Documentation > Splunk > Admin Manual > Field actions

Admin Manual

 


About the Splunk Admin Manual
How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Alerts
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

Field actions

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Field actions

Enable interactions between your indexed fields and other web resources via field_actions.conf. For example, enable a reverse lookup of an IP address. Edit field_actions.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

NOTE: You must both restart your Splunk server and clear your browser's cache before any changes take place. Some versions of Firefox may not clear the cache completely when instructed, so you may have to completely restart your browser to see your changes.


Configuration

Add a stanza to specify which host, uri and label to use for your custom field action. Once this is enabled, your label will be added to the drop down menu next to the field specified by the metaKeys attribute, if two or more metaKeys are specified the label will appear in the drop down menu under the time stamp. Other attribute/value pairs are available for stanzas in field_actions.conf.

Show source is a type of field action. If the host or source fields are not present then Show source is not available from the drop-down menu next to the timestamp. If your field action does not appear, ensure the correct fields are visible by selecting them from the Fields menu.


Example 

[googleExample]
metaKeys=clientip
uri=http://google.com/search?q={$clientip}
label=Google this ip
method=GET

This example enables you to look up the clientip= field via Google. Once you have set up the clientip field through the fields drop-down menu, you can select the new Google this IP link from the drop down next to the clientip field.

3 0 Admin Fields fieldactions-googlethis.jpg 

[some_custom_search]
metaKeys = ruser,rhost
term=authentication failure | filter ruser={$ruser} rhost={$rhost}
label=Search for other break in attempts by this user
alwaysReplace=true

This example enables you to run another search for authentication failures on the ruser and rhost fields.

Learn more about field_actions.conf, including which other attribute/value pairs are available.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.4.5/Admin/FieldActions"

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.