Construct custom log events to index and search metadata. Log events are sent to your Splunk deployment for indexing. As with other alert actions, log events can be used alone or in addition to other alert actions for a given alert.
Using the log event alert action requires the
edit_tcp capability for users without the
Tokens for log events
When you set up a log event alert action, populate event fields with plain text or tokens representing search, job, or server metadata. You can also use tokens to access the first search results set.
Tokens available for email notifications are also available for log events. For more information on using tokens with alert actions, see Use tokens in email notifications in this manual.
Set up a log event alert action
Here are the steps for setting up a custom log event alert action after building a query.
To review token usage, see Use tokens in email notifications in this manual.
- You can configure the log event action when ceating a new alert or editing an existing alert's actions. Follow one of the options below.
Option Steps Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed. Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit>Edit actions for an existing alert.
- From the Add Actions menu, select Log event.
- Add the following event information to configure the alert action. Use plain text or tokens for search, job, or server metadata.
- Event text
- Source and sourcetype
- Destination index for the log event. The
mainindex is the default destination. You can specify a different existing index.
- Click Save.
The following steps are the same for saving new alerts or editing existing alerts.
Use a webhook alert action
Monitor triggered alerts
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0