Construct custom log events to index and search metadata. Log events are sent to your Splunk deployment for indexing. As with other alert actions, log events can be used alone or in addition to other alert actions for a given alert.
Using the log event alert action requires the
Tokens for log events
When you set up a log event alert action, populate event fields with plain text or tokens representing search, job, or server metadata. You can also use tokens to access the first search results set.
Tokens available for email notifications are also available for log events. For more information on using tokens with alert actions, see Use tokens in email notifications in this manual.
Set up a log event alert action
Here are the steps for setting up a custom log event alert action after building a search.
To review token usage, see Use tokens in email notifications in this manual.
- You can configure the log event action when ceating a new alert or editing an existing alert's actions. Follow one of the options below.
Option Steps Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed. Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit>Edit actions for an existing alert.
- From the Add Actions menu, select Log event.
- Add the following event information to configure the alert action. Use plain text or tokens for search, job, or server metadata.
- Event text
- Source and sourcetype
- Destination index for the log event. The
mainindex is the default destination. You can specify a different existing index.
In a distributed environment, make sure your
outputs.conffile is configured correctly, for example:
[tcpout] defaultGroup = your_target_indexer indexAndForward = false and [indexAndForward] index=false
You must also define the destination index on both the search head and the indexers. For more information on configuring forwarding in
outputs.conf, see Configure the universal forwarder using configuration files in the Splunk Universal Forwarder Manual.
- Click Save.
The following steps are the same for saving new alerts or editing existing alerts.
Output results to a CSV lookup
Monitor triggered alerts
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209 (latest FedRAMP release), 8.2.2106, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208
Feedback submitted, thanks!