Documentation > Splunk > Admin Manual > alert_actions.conf

Admin Manual

 


Welcome to Splunk administration
What to do first
Use Splunk Web
Meet Splunk apps
Configure Splunk
Indexing with Splunk
Add data and configure inputs
Set up forwarding and receiving
Configure event processing
Configure event timestamping
Configure indexed field extraction
Manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

alert_actions.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

alert_actions.conf

The following are the spec and example files for alert_actions.conf.

alert_actions.conf.spec

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.1.5
#
# This file contains possible attributes and values for configuring global saved search actions and 
# in alert_actions.conf.  Saved searches are configured in savedsearches.conf.
#
# There is an alert_actions.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place an alert_actions.conf in $SPLUNK_HOME/etc/system/local/.  For examples, see 
# alert_actions.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

################################################################################
# Global options: these settings do not need to be prefaced by a stanza name
# If you do not specify an entry for each attribute, Splunk will use the default value.
################################################################################

maxresults = <int>
	* Set the global maximum number of search results sent via alerts.
	* Defaults to 100.

hostname = <string>
	* Set the hostname that is displayed in the link sent in alerts.
	* This is useful when the machine sending the alerts does not have a FQDN. 
	* Defaults to current hostname (set in Splunk) or localhost (if none is set).

ttl     = <int>[p]
 * optional argument specifying the minimum ttl in seconds (or if p follows the number, the number 
 * of scheduled periods) of the search artifact's if this  action is triggered.
 * If no actions are triggered, the artifacts will have their ttl determined by dispatch.ttl (in savedsearches.conf)
 * Defaults to 10p 
 * Defaults to 86400 (24 hours)   for: email, rss
 * Defaults to   600 (10 minutes) for: script 
 * Defaults to   120 (2 minutes)  for: summary_index, populate_lookup 
 
maxtime = <int>[mshd]
 * the maximum amount of time the execution of an action should be allowed before the action is aborted
 * Defaults to 5m
 * Defaults to 1m for: rss

################################################################################
# EMAIL: these settings are prefaced by the [email] stanza name
################################################################################

[email]
	* Set email notification options under this stanza name.
	* Follow this stanza name with any number of the following attribute/value pairs.  
	* If you do not specify an entry for each attribute, Splunk will use the default value.
	
from = <string>
     * Email address originating alert.
     * Defaults to splunk@$LOCALHOST.

subject = <string>
     * Specify an alternate email subject.
     * Defaults to SplunkAlert-<savedsearchname>.  

format = <string>
     * Specify the format of text in the email.
      * Possible values:  plain, html, raw and csv.    
     * This value will also apply to any attachments. 

sendresults = <bool>
     * Specify whether to include the search results in the email. The results can be attached or inlined, see inline (action.email.inline)
     * Defaults to false.
     
inline = <true | false>
	* Specify whether the search results are contained in the body of the alert email.
	* Defaults to false.

mailserver = <string>
	* The SMTP mail server to use when sending emails.
	* Defaults to $LOCALHOST.

reportServerURL = <url>
    * The URL of the PDF report server, if one is setup and available on the network
    * For a default locally installed report server, the url would be http://localhost:8091/
    * Defaults to false

reportPaperSize = <string>
    * Default paper size for PDFs
    * Can be one of letter, legal, ledger, a2, a3, a4, a5
    * Defaults to letter

reportPaperOrientation = <string>
    * Paper orientation: portrait or landscape
    * Defaults to portrait

preprocess_results = <search-string>
    * a search string to preprocess results before emailing them. Usually the pre processing
    * consists of filtering out unwanted internal field
    * Defaults to empty string
	
################################################################################
# RSS: these settings are prefaced by the [rss] stanza
################################################################################

[rss]
	* Set rss notification options under this stanza name.
	* Follow this stanza name with any number of the following attribute/value pairs.  
	* If you do not specify an entry for each attribute, Splunk will use the default value.

items_count = <number>
     * Number of saved RSS feeds.
     * Cannot be more than maxresults (in [email] stanza).
     * Defaults to 30.

################################################################################
# script:
################################################################################
[script]	
command = <string>
	* command template to be realized with information from the saved search that
	* triggered the script action.

	
################################################################################
# summary_index: these settings are prefaced by the [summary_index] stanza
################################################################################
[summary_index]
command = <string>
        * command template to be realized with information from the saved search that
        * triggered the summary indexing action.

	
################################################################################
# populate_lookup: these settings are prefaced by the [populate_lookup] stanza
################################################################################
[populate_lookup]
command = <string>
	* command template to be realized with information from the saved search that
	* triggered the populate lookup action.

alert_actions.conf.example

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.1.5
#
# This is an example alert_actions.conf.  Use this file to configure alert actions for saved searches.
#
# To use one or more of these configurations, copy the configuration block into alert_actions.conf 
# in $SPLUNK_HOME/etc/system/local/.  You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

[email]
# keep the search artifacts around for 24 hours
ttl = 86400

# if no @ is found in the address the hostname of the current machine is appended
from = splunk

# $name$ will be substituted from the scheduled search
subject = Splunk Alert: $name$.

format = html

reportServerURL = http://localhost:8091/

inline = false

sendresults = true

hostname = CanAccessFromTheWorld.com

command = sendemail "to=$action.email.to$" "server=$action.email.mailserver{default=localhost}$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$maxinputs{default=1000}$" maxtime="$action.email.maxtime{default=5m}$"
_validate-1 = action.email.sendresults, validate( is_bool('action.email.sendresults'), "Value of argument 'action.email.sendresults' must be a boolean")


[rss]
# at most 30 items in the feed
items_count=30

# keep the search artifacts around for 24 hours
ttl = 86400

command = createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger: $name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"

[summary_index]
# don't need the artifacts anytime after they're in the summary index
ttl = 120

# make sure the following keys are not added to marker (command, ttl, maxresults, _*)
command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|maxresults|ttl|(?:_.*))$)(.*)"}$"
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1/Admin/Alertactionsconf"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!