Topics

| pdf version

How Splunk Works

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Search

Distributed Search

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Set up alerts via savedsearches.conf

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6

Set up alerts via savedsearches.conf

Configure alerts with savedsearches.conf. Use the $SPLUNK_HOME/etc/system/README/savedsearches.conf.example as an example, or create your own savedsearches.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.


alerting options

First, configure a saved search. Then, add the following attribute/value pairs to your saved search stanza to create an alert:


counttype = <string>

  • Set the type of count for alerting.
  • Possible values: number of events, number of hosts, number of sources, number of sourcetypes.


relation = <string>

  • How to compare against counttype.
  • Possible values: greater than, less than, equal to, drops by, rises by.

quantity = <integer>

  • Number to compare against the given counttype.

schedule = <string>

  • Cron style schedule (i.e. */12 * * * *).

action_rss = <integer>

  • Toggle whether or not to create an RSS link.
  • Possible values: 1/0 (1 to create, 0 to disable).

action_email = <string>

  • Comma delimited list of email addresses to send alerts to.

sendresults = <integer>

  • Whether or not to send the results along with the email/shell script.
  • Possible values: 1/0 (1 to send, 0 to disable).


execDelay = <integer>

  • Amount of time (in seconds) from most recent event to the execution of the scheduled search query.
  • Defaults to 0.


maxresults = <integer>

  • The maximum number of results the entire query pipeline can generate.
  • Defaults to 50000.

Note: This is different from specifying maxresults during a search (maxresults:: search modifier in older versions, or -maxresults in the CLI in versions 3.2 and above).


display options

Optionally set the display options for your saved search in savedsearches.conf. Here are the possible attribute/value pairs:


viewstate.resultView = reportView

  • The UI state for a saved search.
  • Can be either normalView or reportView.
  • normalView returns the SplunkWeb search interface.
  • reportView returns the report interface.

viewstate.chart.plotMode = column

  • Set the plot mode for a chart returned by a saved search.
  • Only valid when viewstate.resultView == reportView
  • Possible values: area, axis, bubble, column, donut, heatmap, legend, line, pie, scatter, stackedarea, stackedcolumn.

viewstate.prefs.selectedKeys = source host sourcetype

  • Space-delimited list of field to use.
  • Always auto-generated, but can be edited after the fact to include new fields.

Script options

Your alert can trigger a shell script. Use the following attribute/value pair:


action_script = <string>

  • Your search can trigger a shell script.
  • Specify the name of the shell script to run.
  • Place the script in $SPLUNK_HOME/bin/scripts.
  • Command line arguments passed to the script are:
  • $0 = script name.
  • $1 = number of events returned.
  • $2 = search terms.
  • $3 = fully qualified query string.
  • $4 = name of saved splunk.
  • $5 = trigger reason (i.e. "The number of events was greater than 1").
  • $6 = link to saved search.
  • $7 = a list of tags belonging to this saved search.
  • $8 = file where the results for this search are stored (contains raw results).

Note: If there are no saved tags, $7 becomes the name of the file containing the search results ($8).


All scripts must be shell scripts. If you want to run a script written in a different language (e.g. PERL, Python, VBScript) you must wrap it inside a shell script file which will interpret and pass Splunk's parameters to the script responsible for the heavy lifting. Specify the interpreter you want Splunk to use in the first line of your script, following the #!. For example:


  • to run a PERL script: 
---- myscript.pl ----
#!/path/to/perl
......
......
  • to use Python to interpret the script file: 
---- myscript.py -----
#!/path/to/python
.....
.....

For examples on how scripts can be configured to work with alerts, see send SNMP traps and send syslog events.


Example

This example runs a search for events containing the term "sudo" on a schedule, and sends the results via an RSS feed. 


[sudoalert]
action_rss = 1
counttype = number of events
enableSched = 1
quantity = 0
search = sudo
relation = greater than
schedule = */12 * * * *
sendresults = 0
role = Admin
Retrieved from "http://www.splunk.com/base/Documentation/3.2/Admin/SetUpAlertsViaSavedsearchesconf"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.