Splunk® Enterprise

Developing Views and Apps for Splunk Web

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Advanced options for working with custom alert actions

Learn how to use additional features of custom alert actions.

Invoke a custom alert action from a search

You can invoke an alert action by name using the sendalert command as part of a search. For testing purposes, you might want to invoke an alert action directly from search. You can pipe your search to sendalert and pass in parameters.

Here is the sendalert syntax.

sendalert <action-name> [options]

  • <action-name> refers to an alert action in either alert_actions.conf or savedsearches.conf.
  • [options] allows you to pass in key-value arguments starting with param. Each param. argument is merged with the corresponding token from alert_actions.conf.

For more information about using this command, see sendalert in the Search Reference.

Pass search result values to alert action tokens

You can pass search result values to different alert action tokens when you use sendalert.

There are several available custom alert action tokens.

Token Description
$result.<fieldname>$ Any field value from the first row of the search results
$job.<property>$ Any search job property
$server.<property>$ Properties returned by the server info endpoint
$app$ Name of the app containing the search
$cron_schedule$ Cron schedule for the alert
$description$ Search description
$name$ Name of the search or alert
$next_scheduled_time$ The next time the scheduled search runs
$owner$ Owner of the search
$results_link$ Link to the search results
$search$ Actual search string
$trigger_date$ Date when alert was triggered
$trigger_timeHMS$ Formatted time when the alert was triggered
$trigger_time$ Trigger time in unix epoch
$alert.severity$ Alert severity level
$alert.expires$ Alert expiration time

Custom alert action tokens work similarly to tokens for email notifications. To learn more, see Use tokens in email notifications.


As an example, you might want to search for login failure events. You can pass the search results and some informational text to the param.message key. Then, you can use the $result.<field_name>$ token to hold the corresponding field's value from your search results.

Here is what your query would look like.

index=_internal component=UiAuth action=login status=failure | sendalert chat param.room="Security Team Room" param.message="Login failed for user: $result.user$"

In this case, user is the result field name.

After receiving search results showing an admin role, the value passed to the alert script might look like this.

param.message = "Login failed for user: admin"

Access alert action script logs

Developers can access logs of the alert action script using the Alert Actions manager page. Any information that your script prints to STDERR will be treated as a log message. Message prefixes, such as DEBUG, INFO, WARN, or ERROR, are treated as the log level.

To review logs for an alert action, select Settings>Alert actions. This takes you to the Alert Actions manager page. Select View log events for your alert action.

Custom alert action logging is similar to modular input logging. For more information, see Set up logging.

Last modified on 01 October, 2018
HipChat example for custom alert actions
KV Store integration for custom alert actions

This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.8, 7.1.7, 7.0.0, 7.3.7, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 7.3.9, 8.0.0, 8.0.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters