
alert_actions.conf
The following are the spec and example files for alert_actions.conf
.
alert_actions.conf.spec
# This file contains possible attributes and values for generating ITSI # notable events and configuring episode actions. # # There is an alert_actions.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default/. # To set custom configurations, place an alert_actions.conf in # $SPLUNK_HOME/etc/apps/SA-ITOA/local/. You must restart Splunk to enable # configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles
GLOBAL SETTINGS
# Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top # of the file. # * Each .conf file should have at most one default stanza. If there are # multiple default stanzas, attributes are combined. In the case of # multiple definitions of the same attribute, the last definition in the # file wins. # * If an attribute is defined at both the global level and in a specific # stanza, the value in the specific stanza takes precedence. ttl = <integer> [p] * The minimum time to live (TTL), in seconds, of the search artifacts if this action is triggered. * If p follows the integer, then the integer is the number of scheduled periods. * Default: 600 (10 minutes) maxtime = <integer> [m|s|h|d] * The maximum amount of time that the execution of an action is allowed to take before the action is aborted. * Use the d, h, m and s suffixes to define the period of time: d = day, h = hour, m = minute and s = second. For example: 5d means 5 days. * If you do not include a suffix, the time defaults to seconds. * Default: 600 (10 minutes) maxresults = <integer> * The maximum number of search results sent via the alert. * Default: 10000 is_custom = <boolean> * Specifies whether the alert action is based on the custom alert actions framework and is supposed to be listed in the search UI. * Default: 1 label = <string> * Defines the label shown in the UI. * If not specified, the stanza name is used instead. description = <string> * Defines the description shown in the UI. payload_format = [xml|json] * The format in which the alert script receives the configuration via STDIN. * Default: json
[itsi_event_generator]
* Generate notable events under this stanza name. * ITSI sends notable events to the ITSI summary index. * Follow this stanza name with any number of the following attribute/value pairs. * If you do not specify an entry for each attribute, Splunk will use the default value. param.http_token_name = <string> * The HTTP token name. * Optional. * If you do not provide a token name, ITSI obtains one token using the index and sourcetype parameters below. param.index = <string> * The index name. * This setting is required if you do not provide an HTTP token for the 'param.http_token_name' setting. * Default: itsi_tracked_alerts param.sourcetype = <string> * The sourcetype. * This setting is used if you do not provide an HTTP token for the 'param.http_token_name' setting. * Default: itsi_notable:event param.event_identifier_fields = <comma-separated list> * A list of fields that are used to identify event duplication. * Default: source param.search_type = <string> * The search type. * Default: custom param.is_use_event_time = <boolean> * If "1", ITSI uses the actual event time. * If "0", ITSI uses the time the event was indexed. * Default: 0 param.event_field_max_length = <integer> * The maximum field length. * Default: 10000
[itsi_sample_event_action_ping]
* Ping a host in one or more ITSI episodes under this stanza name. * Follow this stanza name with any number of the following attribute/value pairs. * If you do not specify an entry for each attribute, Splunk will use the default value. param.host_to_ping = <string> * The field from the episode representing the host to ping. * If your event contains the field 'server', set to '%server%'. * When ITSI executes the alert action, it extracts the value corresponding to the token value from event data and tries to ping it. * If you set a value that does not begin and end with '%', ITSI considers this to be the value to ping. No extractions are done in this case. * Default: %orig_host%
[itsi_event_action_link_ticket]
* Set options to associate an episode with a ticket from an external ticketing system under this stanza name. * Follow this stanza name with any number of the following attribute/value pairs. * If you do not specify an entry for each attribute, Splunk will use the default value. param.ticket_system = <string> * The name of the external ticketing system. * This setting is required to create/update/delete a ticket. * There is no default. param.ticket_id = <string> * The ID of the specific ticket to link to. * This setting is required to create/update/delete a ticket. * There is no default. param.ticket_url = <string> * The drilldown link to the ticket in the external ticketing system. * This setting is required to create/update a ticket. * There is no default. param.operation = <upsert|delete> * Specifies the type of action to take on the ticket. * If "upsert", ITSI inserts or updates existing fields. * If "delete", ITSI deletes the ticket. * There is no default. param.kwargs = <dict> * A dictionary of additional fields to pass to the ticket. * Optional. * There is no default.
[itsi_event_action_send_to_phantom]
* Set options to send an episode to Phantom under this stanza name. * Follow this stanza name with any number of the following attribute/value pairs. * If you do not specify an entry for each attribute, Splunk will use the default value. is_custom = <boolean> * Specifies whether the alert action is based on the custom alert actions framework and is supposed to be listed in the search UI. * Default: 1 label = <string> * Defines the label shown in the UI. * If not specified, the stanza name is used instead. description = <string> * Defines the description shown in the UI. payload_format = [xml|json] * The format in which the alert script receives the configuration via STDIN. * Default: json
alert_actions.conf.example
No example
PREVIOUS List of ITSI configuration files |
NEXT app_common_flags.conf |
Feedback submitted, thanks!