alert_actions.conf

alert_actions.conf

The following are the spec and example files for alert_actions.conf.

alert_actions.conf.spec

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.0
#
# This file contains possible attributes and values for configuring global saved search actions and 
# in alert_actions.conf.  Saved searches are configured in savedsearches.conf.
#
# There is an alert_actions.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place an alert_actions.conf in $SPLUNK_HOME/etc/system/local/.  For examples, see 
# alert_actions.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

################################################################################
# Global options: these settings do not need to be prefaced by a stanza name
# If you do not specify an entry for each attribute, Splunk will use the default value.
################################################################################

maxresults = <int>
	* Set the global maximum number of search results sent via alerts.
	* Defaults to 100.

hostname = <string>
	* Set the hostname that is displayed in the link sent in alerts.
	* This is useful when the machine sending the alerts does not have a FQDN. 
	* Defaults to current hostname (set in Splunk) or localhost (if none is set).

ttl     = <int>[p]
 * optional argument specifying the minimum ttl in seconds (or if p follows the number, the number 
 * of scheduld periods) of the search artifact's if this  action is triggered.
 * If no actions are triggered, the artifacts will have their ttl determined by dispatch.ttl (in savedsearches.conf)
 * Defaults to 10p 
 * Defaults to 86400 (24 hours)   for: email, rss
 * Defaults to   600 (10 minutes) for: script 
 * Defaults to   120 (2 minutes)  for: summary_index, populate_lookup 
 

################################################################################
# EMAIL: these settings are prefaced by the [email] stanza name
################################################################################

[email]
	* Set email notification options under this stanza name.
	* Follow this stanza name with any number of the following attribute/value pairs.  
	* If you do not specify an entry for each attribute, Splunk will use the default value.
	
from = <string>
     * Email address originating alert.
     * Defaults to splunk@$LOCALHOST.

subject = <string>
     * Specify an alternate email subject.
     * Defaults to SplunkAlert-<savedsearchname>.  

format = <string>
     * Specify the format of text in the email.
      * Possible values:  plain, html, raw and csv.    
     * This value will also apply to any attachments. 

inline = <true | false | auto>
	* Specify whether the search results are contained in the body of the alert email.
	* Defaults to false.

mailserver = <string>
	* The SMTP mail server to use when sending emails.
	* Defaults to $LOCALHOST.

################################################################################
# RSS: these settings are prefaced by the [rss] stanza
################################################################################

[rss]
	* Set rss notification options under this stanza name.
	* Follow this stanza name with any number of the following attribute/value pairs.  
	* If you do not specify an entry for each attribute, Splunk will use the default value.

items_count = <number>
     * Number of saved RSS feeds.
     * Cannot be more than maxresults (in [email] stanza).
     * Defaults to 30.

################################################################################
# script:
################################################################################
[script]	
command = <string>
	* command template to be realized with information from the saved search that
	* triggered the script action.

	
################################################################################
# summary_index: these settings are prefaced by the [summary_index] stanza
################################################################################
[summary_index]
command = <string>
        * command template to be realized with information from the saved search that
        * triggered the summary indexing action.

	
################################################################################
# populate_lookup: these settings are prefaced by the [populate_lookup] stanza
################################################################################
[populate_lookup]
command = <string>
	* command template to be realized with information from the saved search that
	* triggered the populate lookup action.
	

alert_actions.conf.example

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.0
#
# This is an example alert_actions.conf.  Use this file to configure alert actions for saved searches.
#
# To use one or more of these configurations, copy the configuration block into alert_actions.conf 
# in $SPLUNK_HOME/etc/system/local/.  You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

[email]
from = <email address>
	# Set a custom from email address.

subject = <custom subject>
	# By default, the subject is SplunkAlert-<splunk-name>, but you can set a custom subject here.

format = <html, plain, csv>
	# Specify the format of the text in the email.
	# Possible values: html, plain, csv.

[rss]
items_count=30
	# Set the threshold of rss feeds.

[summary_index]
command = cacher index="myindex" marker="saved_search=\"$name$\", nonce=\"$#random$\""	
     # save the results in myindex, add the given marker to each event, see summary indexing in the online 
     # documentation for more information.

• Was this topic useful?
• Post a comment