Splunk® Enterprise

Alerting Manual

Download manual as PDF

Download topic as PDF

Log events

Construct custom log events to index and search metadata. Log events are sent to your Splunk deployment for indexing. As with other alert actions, log events can be used alone or in addition to other alert actions for a given alert.

Authorization requirement

Using the log event alert action requires the tcp_edit capability for users without the admin role.

Tokens for log events

When you set up a log event alert action, populate event fields with plain text or tokens representing search, job, or server metadata. You can also use tokens to access the first search results set.

Tokens available for email notifications are also available for log events. For more information on using tokens with alert actions, see Use tokens in email notifications in this manual.

Set up a log event alert action

Here are the steps for setting up a custom log event alert action after building a query.

Prerequisites
To review token usage, see Use tokens in email notifications in this manual.

Steps

  1. You can configure the log event action when ceating a new alert or editing an existing alert's actions. Follow one of the options below.
    Option Steps
    Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed.
    Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit>Edit actions for an existing alert.
  2. The following steps are the same for saving new alerts or editing existing alerts.

  3. From the Add Actions menu, select Log event.
  4. Add the following event information to configure the alert action. Use plain text or tokens for search, job, or server metadata.
    • Event text
    • Source and sourcetype
    • Host
    • Destination index for the log event. The main index is the default destination. You can specify a different existing index.
  5. Click Save.
PREVIOUS
Use a webhook alert action
  NEXT
Monitor triggered alerts

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Comments

Use edit_tcp

Ted.fenn@concanon.com
September 14, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters