Splunk® IT Service Intelligence

Administration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

alert_actions.conf

The following are the spec and example files for alert_actions.conf.

alert_actions.conf.spec

# This file contains possible attributes and values for generating ITSI
# notable events, configuring episode actions, and executing
# post-search processing actions.
#
# There is an alert_actions.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default/.
# To set custom configurations, place an alert_actions.conf in
# $SPLUNK_HOME/etc/apps/SA-ITOA/local/. You must restart Splunk to enable
# configurations.
#
# To learn more about configuration files (including precedence) please see
# the documentation located at
# http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles

GLOBAL SETTINGS


# Use the [default] stanza to define any global settings.
#  * You can also define global settings outside of any stanza, at the top
#    of the file.
#  * Each .conf file should have at most one default stanza. If there are
#    multiple default stanzas, attributes are combined. In the case of
#    multiple definitions of the same attribute, the last definition in the
#    file wins.
#  * If an attribute is defined at both the global level and in a specific
#    stanza, the value in the specific stanza takes precedence.

ttl = <integer> [p]
* The minimum time to live (TTL), in seconds, of the search artifacts
  if this action is triggered.
* If p follows the integer, then the integer is the number of scheduled periods.
* Default: 600 (10 minutes)

maxtime = <integer> [m|s|h|d]
* The maximum amount of time that the execution of an action is allowed to
  take before the action is aborted.
* Use the d, h, m and s suffixes to define the period of time:
  d = day, h = hour, m = minute and s = second.
  For example: 5d means 5 days.
* If you do not include a suffix, the time defaults to seconds.
* Default: 600 (10 minutes)

maxresults = <integer>
* The maximum number of search results sent via the alert.
* Default: 10000

is_custom = <boolean>
* Specifies whether the alert action is based on the custom alert
  actions framework and is supposed to be listed in the search UI.
* Default: 1

label = <string>
* Defines the label shown in the UI.
* If not specified, the stanza name is used instead.

description = <string>
* Defines the description shown in the UI.

payload_format = [xml|json]
* The format in which the alert script receives
  the configuration via STDIN.
* Default: json

[itsi_event_generator]

* Generate notable events under this stanza name.
* ITSI sends notable events to the ITSI summary index.
* Follow this stanza name with any number of the following
  attribute/value pairs.
* If you do not specify an entry for each attribute, Splunk will
  use the default value.

param.http_token_name = <string>
* The HTTP token name.
* Optional.
* If you do not provide a token name, ITSI obtains one
  token using the index and sourcetype parameters below.

param.index = <string>
* The index name.
* This setting is required if you do not provide an HTTP
  token for the 'param.http_token_name' setting.
* Default: itsi_tracked_alerts

param.sourcetype = <string>
* The sourcetype.
* This setting is used if you do not provide an HTTP
  token for the 'param.http_token_name' setting.
* Default: itsi_notable:event

param.event_identifier_fields = <comma-separated list>
* A list of fields that are used to identify event duplication.
* Default: source

param.search_type = <string>
* The search type.
* Default: custom

param.is_use_event_time = <boolean>
* If "1", ITSI uses the actual event time.
* If "0", ITSI uses the time the event was indexed.
* Default: 0

param.event_field_max_length = <integer>
* The maximum field length.
* Default: 10000

[itsi_sample_event_action_ping]

* Ping a host in one or more ITSI episodes under this stanza name.
* Follow this stanza name with any number of the following
  attribute/value pairs.
* If you do not specify an entry for each attribute, Splunk will
  use the default value.

param.host_to_ping = <string>
* The field from the episode representing the host to ping.
* If your event contains the field 'server', set to '%server%'.
* When ITSI executes the alert action, it extracts the value corresponding
  to the token value from event data and tries to ping it.
* If you set a value that does not begin and end with '%', ITSI
  considers this to be the value to ping. No extractions are done in this case.
* Default: %orig_host%

[itsi_event_action_link_ticket]

* Set options to associate an episode with a ticket from an
  external ticketing system under this stanza name.
* Follow this stanza name with any number of the following
  attribute/value pairs.
* If you do not specify an entry for each attribute, Splunk will
  use the default value.

param.ticket_system = <string>
* The name of the external ticketing system.
* This setting is required to create/update/delete a ticket.
* There is no default.

param.ticket_id = <string>
* The ID of the specific ticket to link to.
* This setting is required to create/update/delete a ticket.
* There is no default.

param.ticket_url = <string>
* The drilldown link to the ticket in the external ticketing system.
* This setting is required to create/update a ticket.
* There is no default.

param.operation = <upsert|delete>
* Specifies the type of action to take on the ticket.
* If "upsert", ITSI inserts or updates existing fields.
* If "delete", ITSI deletes the ticket.
* There is no default.

param.kwargs = <dict>
* A dictionary of additional fields to pass to the ticket.
* Optional.
* There is no default.

[itsi_event_action_link_url]

* Set options to associate an episode with an external URL.
* Follow this stanza name with any number of the following
  attribute/value pairs.
* If you do not specify an entry for each attribute, Splunk will
  use the default value.

param.url = <string>
* A URL to an external document or incident

param.url_description = <string>
* The label or description of the document to link to.
* This setting is required to create/update/delete a URL.
* There is no default.

param.operation = <upsert|delete>
* Specifies the type of action to take on the URL.
* If "upsert", ITSI inserts or updates existing fields.
* If "delete", ITSI deletes the URL.
* There is no default.

param.kwargs = <dict>
* A dictionary of additional fields to pass to the URL.
* Optional.
* There is no default.

[itsi_event_action_snow_wrapper]

param.account = <list>
* The name of the account in which the incident is created.
* Required.

param.state = <string>
* The state of the incident.
* Optional.

param.configuration_item = <string>
* Configuration item.
* Optional.

param.contact_type = <string>
* The method by which the incident was reported.
* Optional.

param.assignment_group = <string>
* The name of the assignment group associated with the incident.
* Optional.

param.category = <string>
* The category of the incident.
* Required.

param.subcategory = <string>
* The subcategory of the incident.
* Optional.

param.impact = <number>
* The impact value of the incident.
* Optional.

param.urgency = <number>
* The urgency of the incident.
* Optional.

param.priority = <number>
* The priority of the incident, determined by the impact and urgency values.
* Optional.

param.short_description = <string>
* A brief description of the ITSI episode.
* Required.

param.correlation_id = <string>
* A brief description of the ServiceNow incident.
* Optional.

param.splunk_url = <link>
* An external drilldown link from the ServiceNow incident.
* You can use this setting to link back to the corresponding episode in ITSI.
* Optional.

param.custom_fields = <string>
* Custom fields.
* Optional.

[itsi_import_objects]

* Import entity and service object data under this stanza name.

param.backfill_enabled = <boolean>
* Whether to enable backfill on all KPIs in linked service templates.
* Optional.
* Default: 0

param.entity_description_fields = <string>
* A list of fields that represents the description of an entity.
* Optional.

param.entity_field_mapping = <string>
* A key-value mapping of fields to re-map to other fields in the data.
* Follows a <field> = <Splunk search field> format.
* For example, ip1 = dest, ip2 = dest, storage_type = volume
* Use this setting to rename a field or column to an alias or info value.
* Optional.

param.entity_identifier_fields = <string>
* A list of fields that represent identifier data of an entity.
* Optional.

param.entity_informational_fields = <string>
* A list of fields that represent the informational data of an entity.
* Optional.

param.entity_merge_field = <string>
* The field that should be used when resolving conflicts between entities.
* Optional.

param.entity_title_field = <string>
* The field that represents the title of an entity.
* Optional.

param.entity_type_field = <string>
* The field that matches the title for the entity type that is associated with an entity.
* Optional.

param.service_dependents_fields = <string>
* A list of fields that indicate service dependencies.
* Optional.

param.service_description_fields = <string>
* A list of fields that represents the description of a service.
* Optional.

param.service_tags_field = <string>
* A list of fields that represents one or more tags to be added to a service.
* Optional.

param.service_enabled = <boolean>
* Whether or not imported services should be enabled.
* Optional.
* Default: 0

param.service_team = <string>
* The ITSI team that the imported services belong to.
* Optional.
* Default: default_itsi_security_group

param.service_templates_config = <string>
* A dictionary of key-value pairs that maps entity rules to service templates.
* Optional.

param.service_template_field = <string>
* Determines which service template a service is linked to.
* Optional.

param.service_title_field = <string>
* The field that represents the title of a service.
* Optional.

param.update_type = <string>
* The update/insertion method when uploading entities.
* APPEND: ITSI makes no attempt to identify commonalities between entities.
*   All information is appended to the table.
* UPSERT: ITSI appends new entries.  Existing entries (based on the value
*   found in the title_field) have additional information appended
*   to the existing record.
* REPLACE: ITSI appends new entries. Existing entries (based on the value
*   found in the title_field) are replaced by the new record value.
* Optional.
* Default: UPSERT

alert_actions.conf.example

No example
Last modified on 14 April, 2020
PREVIOUS
List of ITSI configuration files
  NEXT
app_common_flags.conf

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters