Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF


Splunk IT Service Intelligence version 4.4.x will no longer be supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
Acrobat logo Download topic as PDF

alert_actions.conf

The following are the spec and example files for alert_actions.conf.

alert_actions.conf.spec

# This file contains possible attributes and values for generating ITSI 
# notable events and configuring episode actions.
#
# There is an alert_actions.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default/.
# To set custom configurations, place an alert_actions.conf in
# $SPLUNK_HOME/etc/apps/SA-ITOA/local/. You must restart Splunk to enable
# configurations.
#
# To learn more about configuration files (including precedence) please see
# the documentation located at
# http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles

GLOBAL SETTINGS


# Use the [default] stanza to define any global settings.
#  * You can also define global settings outside of any stanza, at the top
#    of the file.
#  * Each .conf file should have at most one default stanza. If there are
#    multiple default stanzas, attributes are combined. In the case of
#    multiple definitions of the same attribute, the last definition in the
#    file wins.
#  * If an attribute is defined at both the global level and in a specific
#    stanza, the value in the specific stanza takes precedence.

ttl = <integer> [p]
* The minimum time to live (TTL), in seconds, of the search artifacts
  if this action is triggered.
* If p follows the integer, then the integer is the number of scheduled periods.
* Default: 600 (10 minutes)

maxtime = <integer> [m|s|h|d]
* The maximum amount of time that the execution of an action is allowed to
  take before the action is aborted.
* Use the d, h, m and s suffixes to define the period of time:
  d = day, h = hour, m = minute and s = second.
  For example: 5d means 5 days.
* If you do not include a suffix, the time defaults to seconds. 
* Default: 600 (10 minutes)

maxresults = <integer>
* The maximum number of search results sent via the alert.
* Default: 10000

is_custom = <boolean>
* Specifies whether the alert action is based on the custom alert
  actions framework and is supposed to be listed in the search UI.
* Default: 1

label = <string>
* Defines the label shown in the UI. 
* If not specified, the stanza name is used instead.

description = <string>
* Defines the description shown in the UI.

payload_format = [xml|json]
* The format in which the alert script receives
  the configuration via STDIN.
* Default: json

[itsi_event_generator]

* Generate notable events under this stanza name.
* ITSI sends notable events to the ITSI summary index.
* Follow this stanza name with any number of the following
  attribute/value pairs.
* If you do not specify an entry for each attribute, Splunk will
  use the default value.

param.http_token_name = <string>
* The HTTP token name.
* Optional.
* If you do not provide a token name, ITSI obtains one
  token using the index and sourcetype parameters below.

param.index = <string>
* The index name. 
* This setting is required if you do not provide an HTTP
  token for the 'param.http_token_name' setting.
* Default: itsi_tracked_alerts

param.sourcetype = <string>
* The sourcetype. 
* This setting is used if you do not provide an HTTP
  token for the 'param.http_token_name' setting.
* Default: itsi_notable:event

param.event_identifier_fields = <comma-separated list>
* A list of fields that are used to identify event duplication.
* Default: source

param.search_type = <string>
* The search type. 
* Default: custom

param.is_use_event_time = <boolean>
* If "1", ITSI uses the actual event time.
* If "0", ITSI uses the time the event was indexed.
* Default: 0

param.event_field_max_length = <integer>
* The maximum field length. 
* Default: 10000

[itsi_sample_event_action_ping]

* Ping a host in one or more ITSI episodes under this stanza name.
* Follow this stanza name with any number of the following
  attribute/value pairs.
* If you do not specify an entry for each attribute, Splunk will
  use the default value.

param.host_to_ping = <string>
* The field from the episode representing the host to ping.
* If your event contains the field 'server', set to '%server%'.
* When ITSI executes the alert action, it extracts the value corresponding
  to the token value from event data and tries to ping it.
* If you set a value that does not begin and end with '%', ITSI
  considers this to be the value to ping. No extractions are done in this case.
* Default: %orig_host%

[itsi_event_action_link_ticket]

* Set options to associate an episode with a ticket from an
  external ticketing system under this stanza name.
* Follow this stanza name with any number of the following
  attribute/value pairs.
* If you do not specify an entry for each attribute, Splunk will
  use the default value.

param.ticket_system = <string>
* The name of the external ticketing system.
* This setting is required to create/update/delete a ticket.
* There is no default.
 
param.ticket_id = <string>
* The ID of the specific ticket to link to.
* This setting is required to create/update/delete a ticket.
* There is no default.
 
param.ticket_url = <string>
* The drilldown link to the ticket in the external ticketing system.
* This setting is required to create/update a ticket.
* There is no default.

param.operation = <upsert|delete>
* Specifies the type of action to take on the ticket.
* If "upsert", ITSI inserts or updates existing fields.
* If "delete", ITSI deletes the ticket.
* There is no default.

param.kwargs = <dict>
* A dictionary of additional fields to pass to the ticket. 
* Optional.
* There is no default.

[itsi_event_action_send_to_phantom]

* Set options to send an episode to Phantom under this stanza name.
* Follow this stanza name with any number of the following
  attribute/value pairs.
* If you do not specify an entry for each attribute, Splunk will
  use the default value.

is_custom = <boolean>
* Specifies whether the alert action is based on the custom alert
  actions framework and is supposed to be listed in the search UI.
* Default: 1

label = <string>
* Defines the label shown in the UI. 
* If not specified, the stanza name is used instead.

description = <string>
* Defines the description shown in the UI.

payload_format = [xml|json]
* The format in which the alert script receives
  the configuration via STDIN.
* Default: json

alert_actions.conf.example

No example
Last modified on 03 December, 2019
PREVIOUS
List of ITSI configuration files 		  NEXT
app_common_flags.conf

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters