alert_actions.conf

alert_actions.conf

The following are the spec and example files for alert_actions.conf.

alert_actions.conf.spec

# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.  Version 4.2.2
#
# This file contains possible attributes and values for configuring global saved search actions 
# in alert_actions.conf.  Saved searches are configured in savedsearches.conf.
#
# There is an alert_actions.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place an alert_actions.conf in $SPLUNK_HOME/etc/system/local/.  For examples, see 
# alert_actions.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

################################################################################
# Global options: these settings do not need to be prefaced by a stanza name
# If you do not specify an entry for each attribute, Splunk will use the default value.
################################################################################

maxresults = <int>
	* Set the global maximum number of search results sent via alerts.
	* Defaults to 100.

hostname = <string>
	* Sets the hostname used in the web link (url) sent in alerts.
	* This value accepts two forms.
	   * hostname
		examples: splunkserver, splunkserver.example.com
	   * protocol://hostname:port
		examples: http://splunkserver:8000, https://splunkserver.example.com:443
	* When this value is a simple hostname, the protocol and port which
	  are configured within splunk are used to construct the base of
	  the url.
	* When this value begins with 'http://', it is used verbatim.  
	  NOTE: This means the correct port must be specified if it is not
	  the default port for http or https.
	* This is useful in cases when the Splunk server is not aware of
	  how to construct an externally referencable url, such as SSO
	  environments, other proxies, or when the Splunk server hostname
	  is not generally resolvable.
	* Defaults to current hostname provided by the operating system, or if that fails "localhost".
	* When set to empty, default behavior is used.

ttl     = <int>[p]
 * optional argument specifying the minimum ttl in seconds of the search artifacts if this action
is triggered.
 	* if p follows int, int is the number of scheduled periods.
 * If no actions are triggered, the artifacts will have their ttl determined by dispatch.ttl 
(in savedsearches.conf)
 * Defaults to 10p 
 * Defaults to 86400 (24 hours)   for: email, rss
 * Defaults to   600 (10 minutes) for: script 
 * Defaults to   120 (2 minutes)  for: summary_index, populate_lookup 
 
maxtime = <int>[m|s|h|d]
 * This is the maximum amount of time the execution of an action should be allowed to take before the 
action is aborted/
 * Defaults to 5m for everything except rss.
 * Defaults to 1m for rss.
 
track_alert = <bool>
 * indicates whether the execution of this action signifies a trackable alert.
 
command = <string>
 * The search command (or pipeline) which is responsible for executing the action.
 * Generally the command is a template search pipeline which is realized with values
 * from the saved search - to reference saved search field values wrap them in $, for
 * example to reference the savedsearch name use $name$, to reference the search use $search$

################################################################################
# EMAIL: these settings are prefaced by the [email] stanza name
################################################################################

[email]
	* Set email notification options under this stanza name.
	* Follow this stanza name with any number of the following attribute/value pairs.  
	* If you do not specify an entry for each attribute, Splunk will use the default value.
	
from = <string>
     * Email address from which the alert originates. 
     * Defaults to splunk@$LOCALHOST.

to      = <string>
     * to email address receiving alert.
 
cc      = <string>
     * cc email address receiving alert.

bcc     = <string>
     * bcc email address receiving alert.

subject = <string>
     * Specify an alternate email subject.
     * Defaults to SplunkAlert-<savedsearchname>.  

format = [plain|html|raw|csv]
     * Specify the format of text in the email.
      * Possible values:  plain, html, raw, and csv.    
     * This value will also apply to any attachments. 

sendresults = [1|0]
     * Specify whether the search results are included in the email. The results can be attached or 
inline, see inline (action.email.inline)
     * Defaults to false.
     
inline = [1|0]
	* Specify whether the search results are contained in the body of the alert email.
	* Defaults to false.

mailserver = <string>
	* You must have an SMTP server available to send email. One is not included with Splunk. 
	* The SMTP mail server to use when sending emails.
	* Defaults to $LOCALHOST.
	
use_ssl    = [1|0]
	* Whether to use SSL when communicating with the SMTP server
	* Defaults to false
	
use_tls    = [1|0]
	* Specify whether to use TLS (transport layer security) when communicating with the SMTP server (starttls)
	* Defaults to false

auth_username   = <string>
	* The username to use when authenticating with the SMTP server. If this is empty string, no authentication
is attempted. NOTE: your SMTP server might reject unauthenticated emails.
	* Defaults to empty string

auth_password   = <string>
	* The password to use when authenticating with the SMTP server. Normally this value will be set
when editing the email settings, however you can set a clear text password here and it will be 
encrypted on the next Splunk restart.
	* Defaults to empty string

sendpdf = [1|0]
 	* Specify whether to create and send the results as a PDF.
	* Defaults to false

reportServerEnabled = [1|0]
    * Specify whether the PDF server is enabled.
    * Defaults to false

reportServerURL = <url>
    * The URL of the PDF report server, if one is set up and available on the network.
    * For a default locally installed report server, the URL is http://localhost:8091/

reportPaperSize = [letter|legal|ledger|a2|a3|a4|a5]
    * Default paper size for PDFs
    * Allowed values are: letter, legal, ledger, a2, a3, a4, a5
    * Defaults to letter

reportPaperOrientation = [portrait|landscape]
    * Paper orientation: portrait or landscape
    * Defaults to portrait

preprocess_results = <search-string>
    * Supply a search string to Splunk to preprocess results before emailing them. 
Usually the preprocessing consists of filtering out unwanted internal fields.
    * Defaults to empty string (no preprocessing)
	
################################################################################
# RSS: these settings are prefaced by the [rss] stanza
################################################################################

[rss]
	* Set RSS notification options under this stanza name.
	* Follow this stanza name with any number of the following attribute/value pairs.  
	* If you do not specify an entry for each attribute, Splunk will use the default value.

items_count = <number>
	* Number of saved RSS feeds.
	* Cannot be more than maxresults (in [email] stanza).
	* Defaults to 30.

################################################################################
# script:
################################################################################
[script]	

	
################################################################################
# summary_index: these settings are prefaced by the [summary_index] stanza
################################################################################
[summary_index]
inline = <bool>
       * Specfies whether the summary index search command will be ran as part of 
       * of the scheduled search or as a follow-on action. This is useful when the
       * results of the scheduled search are expected to be large 

_name = <string>
        * name of the summary index where to write the events
	
################################################################################
# populate_lookup: these settings are prefaced by the [populate_lookup] stanza
################################################################################
[populate_lookup]
dest = <string>
	* the name of the lookup table to populate (stanza name in transforms.conf) 
or the lookup file path to where you want the data written. If a path is specified
it MUST be relative to $SPLUNK_HOME and a valid lookups dir, for example
etc/system/lookups/<file-name> or etc/apps/<app>/lookups/<file-name>
	* The user executing this action MUST have write permissions to the app for this
action to work properly.

alert_actions.conf.example

# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.  Version 4.2.2
#
# This is an example alert_actions.conf.  Use this file to configure alert actions for saved searches.
#
# To use one or more of these configurations, copy the configuration block into alert_actions.conf 
# in $SPLUNK_HOME/etc/system/local/.  You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

[email]
# keep the search artifacts around for 24 hours
ttl = 86400

# if no @ is found in the address the hostname of the current machine is appended
from = splunk

# $name$ will be substituted from the scheduled search
subject = Splunk Alert: $name$.

format = html

reportServerURL = http://localhost:8091/

inline = false

sendresults = true

hostname = CanAccessFromTheWorld.com

command = sendemail "to=$action.email.to$" "server=$action.email.mailserver{default=localhost}$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$maxinputs{default=1000}$" maxtime="$action.email.maxtime{default=5m}$"
_validate-1 = action.email.sendresults, validate( is_bool('action.email.sendresults'), "Value of argument 'action.email.sendresults' must be a boolean")


[rss]
# at most 30 items in the feed
items_count=30

# keep the search artifacts around for 24 hours
ttl = 86400

command = createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger: $name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"

[summary_index]
# don't need the artifacts anytime after they're in the summary index
ttl = 120

# make sure the following keys are not added to marker (command, ttl, maxresults, _*)
command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|maxresults|ttl|(?:_.*))$)(.*)"}$"

• Was this topic useful?
• Post a comment