Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

actions dataset function

Use the actions() function with the into command to interact with the Actions service to trigger actions, such as a webhook action or an email action.

For information about the Actions service, see Act on your data using Splunk Cloud Services on the Splunk Developer Portal.

Syntax

The required syntax is in bold.

actions
(
<trigger>,
<trigger-once>,
[<filter-condition>],
[<metadata>]
)

The arguments must be enclosed in parentheses ( ).

Required arguments

trigger
Syntax: <trigger>
Description: The name of a trigger that you want to invoke.
trigger-once
Syntax: <boolean>
Description: A Boolean value that specifies whether to activate the trigger once for all events in the search or once for each event. The default is false, which activates the trigger one time for all events in the search.

Optional arguments

filter-condition
Syntax: <expression>
Description: The condition, specified as an expression, to check before activating the trigger.
Example: error=500
metadata
Syntax: <object>
Description: Additional metadata needed by the Actions service. The format of the metadata is similar to a JSON object, and uses the format {field: value}.
  • Field names that contain characters other than a-z, A-Z, 0-9, or the underscore ( _ ) character must be enclosed in single quotation marks. This includes field names with spaces.
  • String values must be enclosed in double quotation marks.
Example: {locale: "en-AU", city: "Sydney"}

Usage

The actions() function is a sink function. Sink functions are functions that consume events from a dataset.

To use named arguments, you must specify the argument names before the argument values. For example:

...actions(trigger:mytrigger, trigger_once:true, condition:error=500, metadata:{locale: "en_AU", city: "Sydney"})

Examples

The following example specifies to use the mytrigger trigger to fire once for every event that has 500 in the error field. The metadata passed to the Actions service includes a description and a name.

...| into actions(mytrigger, true, error=500, {locale: "en_AU", city: "Sydney"})

Last modified on 29 July, 2021
 

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters