workflow_actions.conf
The following are the spec and example files for workflow_actions.conf
.
workflow_actions.conf.spec
# Version 9.0.2 # # This file contains possible attribute/value pairs for configuring workflow # actions in Splunk. # # There is a workflow_actions.conf in $SPLUNK_HOME/etc/apps/search/default/. # To set custom configurations, place a workflow_actions.conf in either # $SPLUNK_HOME/etc/system/local/ or add a workflow_actions.conf file to your # app's local/ directory. For examples, see workflow_actions.conf.example. # You must restart Splunk to enable configurations, unless editing them # through the Splunk manager. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
GLOBAL SETTINGS
# Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top # of the file. # * Each conf file should have at most one default stanza. If there are # multiple default stanzas, attributes are combined. In the case of # multiple definitions of the same attribute, the last definition in the # file wins. # * If an attribute is defined at both the global level and in a specific # stanza, the value in the specific stanza takes precedence. ############################################################################ # General required settings: # These apply to all workflow action types. ############################################################################ type = <string> * The type of the workflow action. * If not set, the Splunk platform skips this workflow action. label = <string> * The label to display in the workflow action menu. * If not set, the Splunk platform skips this workflow action. ############################################################################ # General optional settings: # These settings are not required but are available for all workflow # actions. ############################################################################ fields = <comma or space separated list> * The fields required to be present on the event in order for the workflow action to be applied. * When "display_location" is set to "both" or "field_menu", the workflow action will be applied to the menu's corresponding to the specified fields. * If fields is undefined or set to *, the workflow action is applied to all field menus. * If the * character is used in a field name, it is assumed to act as a "globber". For example host* would match the fields hostname, hostip, etc. * Acceptable values are any valid field name, any field name including the * character, or * (e.g. *_ip). * Default: * eventtypes = <comma or space separated list> * The eventtypes required to be present on the event in order for the workflow action to be applied. * Acceptable values are any valid eventtype name, or any eventtype name plus the * character (e.g. host*). display_location = <string> * Dictates whether to display the workflow action in the event menu, the field menus or in both locations. * Accepts field_menu, event_menu, or both. * Default: both. disabled = [True | False] * Dictates whether the workflow action is currently disabled * Default: False
Using field names to insert values into workflow action settings
# Several settings detailed below allow for the substitution of field values # using a special variable syntax, where the field's name is enclosed in # dollar signs. For example, $_raw$, $hostip$, etc. # # The settings, label, link.uri, link.postargs, and search.search_string all # accept the value of any valid field to be substituted into the final # string. # # For example, you might construct a Google search using an error message # field called error_msg like so: # link.uri = http://www.google.com/search?q=$error_msg$. # # Some special variables exist to make constructing the settings simpler. $@field_name$ * Allows for the name of the current field being clicked on to be used in a field action. * Useful when constructing searches or links that apply to all fields. * NOT AVAILABLE FOR EVENT MENUS $@field_value$ * Allows for the value of the current field being clicked on to be used in a field action. * Useful when constructing searches or links that apply to all fields. * NOT AVAILABLE FOR EVENT MENUS $@sid$ * The sid of the current search job. $@offset$ * The offset of the event being clicked on in the list of search events. $@namespace$ * The name of the application from which the search was run. $@latest_time$ * The latest time the event occurred. This is used to disambiguate similar events from one another. It is not often available for all fields.
Field action types
############################################################################ # Link type: # Allows for the construction of GET and POST requests via links to external # resources. ############################################################################ link.uri = <string> * The URI for the resource to link to. * Accepts field values in the form $<field name>$, (e.g $_raw$). * All inserted values are URI encoded. * Required link.target = <string> * Determines if clicking the link opens a new window, or redirects the current window to the resource defined in link.uri. * Accepts: "blank" (opens a new window), "self" (opens in the same window) * Default: "blank" link.method = <string> * Determines if clicking the link should generate a GET request or a POST request to the resource defined in link.uri. * Accepts: "get" or "post". * Default: "get". link.postargs.<int>.<key/value> = <value> * Only available when link.method = post. * Defined as a list of key / value pairs like such that foo=bar becomes: link.postargs.1.key = "foo" link.postargs.1.value = "bar" * Allows for a conf compatible method of defining multiple identical keys (e.g.): link.postargs.1.key = "foo" link.postargs.1.value = "bar" link.postargs.2.key = "foo" link.postargs.2.value = "boo" ... * All values are html form encoded appropriately. ############################################################################ # Search type: # Allows for the construction of a new search to run in a specified view. ############################################################################ search.search_string = <string> * The search string to construct. * Accepts field values in the form $<field name>$, (e.g. $_raw$). * Does NOT attempt to determine if the inserted field values may break quoting or other search language escaping. * Required search.app = <string> * The name of the Splunk application in which to perform the constructed search. * By default this is set to the current app. search.view = <string> * The name of the view in which to preform the constructed search. * By default this is set to the current view. search.target = <string> * Accepts: blank, self. * Works in the same way as link.target. See link.target for more info. search.earliest = <time> * Accepts absolute and relative times (e.g. -10h). * Determines the earliest time to search from. search.latest = <time> * Accepts absolute and relative times (e.g. -10h). * Determines the latest time to search to. search.preserve_timerange = <boolean> * Ignored if either the search.earliest or search.latest values are set. * When true, the time range from the original search which produced the events list will be used. * Default: false.
workflow_actions.conf.example
# Version 9.0.2 # # This is an example workflow_actions.conf. These settings are used to # create workflow actions accessible in an event viewer. Refer to # workflow_actions.conf.spec and the documentation at splunk.com for more # information about this file. # # To use one or more of these configurations, copy the configuration block # into workflow_actions.conf in $SPLUNK_HOME/etc/system/local/, or into your # application's local/ folder. You must restart Splunk to enable # configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # These are the default workflow actions and make extensive use of the # special parameters: $@namespace$, $@sid$, etc. [show_source] type=link fields = _cd, source, host, index display_location = event_menu label = Show Source link.uri = /app/$@namespace$/show_source?sid=$@sid$&offset=$@offset$&latest_time=$@latest_time$ [ifx] type = link display_location = event_menu label = Extract Fields link.uri = /ifx?sid=$@sid$&offset=$@offset$&namespace=$@namespace$ [etb] type = link display_location = event_menu label = Build Eventtype link.uri = /etb?sid=$@sid$&offset=$@offset$&namespace=$@namespace$ # This is an example workflow action which will be displayed in a specific # field menu (clientip). [whois] display_location = field_menu fields = clientip label = Whois: $clientip$ link.method = get link.target = blank link.uri = http://ws.arin.net/whois/?queryinput=$clientip$ type = link # This is an example field action which will allow a user to search every # field value in Google. [Google] display_location = field_menu fields = * label = Google $@field_name$ link.method = get link.uri = http://www.google.com/search?q=$@field_value$ type = link # This is an example post link that will send its field name and field value # to a fictional bug tracking system. [Create JIRA issue] display_location = field_menu fields = error_msg label = Create JIRA issue for $error_class$ link.method = post link.postargs.1.key = error link.postargs.1.value = $error_msg$ link.target = blank link.uri = http://127.0.0.1:8000/jira/issue/create type = link # This is an example search workflow action that will be displayed in an # event's menu, but requires the field "controller" to exist in the event in # order for the workflow action to be available for that event. [Controller req over time] display_location = event_menu fields = controller label = Requests over last day for $controller$ search.earliest = -3d search.search_string = sourcetype=rails_app controller=$controller$ | timechart span=1h count search.target = blank search.view = charting type = search
wmi.conf | workload_policy.conf |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.2
Feedback submitted, thanks!