Splunk.com | SplunkBase | Support

Documentation: 3.1.4

| Print Version Contents

Getting Started
- About the getting started section
- Installation
- Start Splunk for the first time
- Administration Basics
- Change defaults
- Find and index data
- Add more users
- Start searching
How Splunk Works
- How Splunk Works
Configuring a Splunk Deployment
- About the deployment section
- Choose a Deployment Model
- Decide how Splunk should index your data
- Install Splunk on every host
- Configure the receiving servers
- Configure the forwarding servers
- Set up the deployment server
  - Configure the deployment server
  - Set up deployment classes
Data Inputs
- How input configuration works
  - Data input types
  - Indexing properties
- Configure inputs via SplunkWeb
- Configure inputs via the CLI
- Configure inputs via inputs.conf
  - Configuration
- Index SNMP events with Splunk
- Scripted inputs
  - Configuration
  - Example
- Add binary files
  - Configuration
  - Example
- log4j
  - External Links
- Dynamic metadata assignment
  - Configuration
  - Set values with a script
- File whitelisting / blacklisting
Hosts
- How host works
- Set default host for a Splunk server
  - via SplunkWeb
  - via configuration files
- Define host assignment for an input
  - Statically
  - Dynamically
- Tag hosts
  - via SplunkWeb
  - Host tags vs host names
- Extract host per event
  - Configuration
  - Example
Source Types
- How source types work
- Set source type for an input
  - via SplunkWeb
  - via configuration files
- Set a source type for a source
  - via configuration files
- Train Splunk on a sourcetype
  - via the CLI
- Create an alias for a source type
  - via SplunkWeb
- Rule-based association of sourcetypes
Timestamp Recognition
- How Splunk recognizes timestamps
  - Timestamp precedence
  - Configuration files for timestamps
- Configure Splunk to recognize a timestamp
- Train Splunk to recognize timestamps
  - About training
  - via the CLI
- How to configure timezone offsets
- Tune Timestamping
  - Turn off timestamp lookahead
Events
- How events work
- Large events
- Multiline events
  - Configuration
  - Examples
- Mask sensitive data in an event
  - Configuration
- Character set
  - Character set specification
Event Types
- How event types work
- Save event types via SplunkWeb
  - Configuration
  - Example
- Tag event types
  - Configuration
- Configure auto-discovery
  - Configuration
  - Example
- Configure eventtypes.conf
Meta Events
- How meta events work
  - Transitive meta events
  - Configuration files for meta events
- Configure meta events
  - Configuration
  - Examples
Fields
- How fields work
- Create additional search fields
  - Configuration
  - Example
- Define additional extracted fields
  - Configuration
  - Example
- Field actions
  - Configuration
- Define extracted fields in meta events
  - Configuration
  - Example
Segmentation
- How segmentation works
  - Configuration files for segmentation
- Configure segmentation
- Enable custom segmentation
  - Configuration
  - Example
Saved Searches and Alerts
- How saved searches work
  - Saved searches
  - Alerting
- Set up saved searches
  - via SplunkWeb
  - via configuration files
- Set up alerts
- Send SNMP traps
  - Configuration
- Send syslog events
  - Configuration
  - Example
- Form searches
Authentication
- How authentication works
- SSL
  - Configuration
  - SSL for SplunkWeb
- Set up users
- Set up LDAP
Granular Access Control
- How Granular Access Control works
  - Configuration files for access controls
- Configure access controls
Data Distribution
- How data distribution works
- Enable forwarding and receiving
- Configure outputs.conf
  - Configuration
  - Optional attributes
- Set up routing
  - Configuration
  - Examples
- Route data to third-party systems
  - Configuration
  - Example
- Enable cloning
- Set up SSL
  - Forwarder
  - Receiver
- Set up data balancing
  - Configuration
  - Example
- Filtering and routing
  - Configuration
  - Example
- Route specific events to an alternate index
  - Configuration
  - Example
Distributed Search
- How distributed search works
  - Known issues with distributed search
- Enable distributed search via SplunkWeb
- Enable distributed search via the CLI
  - Configuration
- Configuration files for distributed search
- Users in a distributed search setup
- Exclude specific Splunk servers from distributed searches
Deployment Server
- How the deployment server works
  - Communication between deployment server and client
  - Configuration files for deployment server
- Configure a Splunk Deployment Server
- Configure deployment clients
  - Enable the client and server
  - Sync the server and client
- Configuration changes after initial deployment
- Using Splunk with 3rd Party configuration management systems
Index Management
- How Index Management Works
  - Data management
  - Configuration files for index management
- Add or Remove an index
  - Create an index
  - Delete an index
- Move an index
  - Configuration
- Disk usage
  - Set minimum free disk space
  - Set database size
- Set retirement policy
  - Remove files beyond a certain size
  - Remove files beyond a certain age
- Automate archiving
  - Use Splunk's index aging policy to archive
- Restore archived data
  - Restore with resurrect
  - Restore a copied index archive
- Export event data
  - Export from the CLI
  - Export from the GUI
- Use separate partitions for Splunk's datastore
  - Set up separate partitions
- Use WORM (Write Once Read Many) volumes for Splunk's datastore
  - Set up a WORM datastore
- Delete data from the index
  - Delete everything
  - Delete a subset of events
Bundles
- What are Bundles?
- How to create a bundle
- Configure bundles
  - Making a bundle
- Bundle directory structure
- Bundle precedence
- Bundle best practice
  - Testing bundles
SplunkBase
- Why use SplunkBase?
- Sharing add-ons on SplunkBase
- Finding and downloading add-ons on SplunkBase
  - Implementing add-ons from SplunkBase
- Looking up events on SplunkBase
  - Configuration
- Security and privacy considerations
- Control user access to SplunkBase
Performance Tuning
- Performance tuning Splunk
- Indexing performance
- Search performance
- Storage efficiency
- CPU and memory footprint
  - Improve CPU usage
  - Improve memory usage
- Multi-CPU servers
  - indexes.conf
- 64-bit operating systems
  - indexes.conf
- Virtual machines
Routine Maintenance
- System backups
  - Backups in 3 Easy Steps
- Monitoring Splunk
  - via SplunkWeb
How-To
- Make SplunkWeb search faster
  - Enable core fields only
  - Disable related
  - Disable typeahead
- Harden a Splunk server
- Secure network connections
- Restore a failed server
- Change data policy to recover space
- Anonymize data samples
  - Simple method
  - Advanced method
- Public server setup
- Determine daily volume
- Determine what files Splunk will be tailing
  - Running listtails
- Set up auto-refresh
- Upgrade your license for more data
- How to use Splunk 2 Nagios
  - What Nagios logs
  - Install the Splunk2Nagios integration
- Restore a blocked license
- Customize the built-in help module
- Configure GUI Timeout
- Configure the Get Started module
- Disable SplunkWeb
  - Edit web.conf
  - Run the disable command
  - Re-enable SplunkWeb
- Configure OPSEC LEA Input
  - Installation
  - Checkpoint Modification
  - Configuration
- Place Splunk behind a web proxy
  - Scenario:
  - Solution:
- Cancel Search
- Strip syslog headers before processing
- Reconstitute Logs
  - Export event data
  - CLI search
- Enable HTTPS
  - configuration
- Estimate the size of your Splunk index and associated data
Troubleshooting
- Splunkd is down
- Splunk logfiles
- License issues
- Unable to get a properly formatted response from the server
- Contact Support
  - Work with Splunk Support
  - Log levels and starting in debug mode
Reference
- Splunk CLI
  - CLI commands
  - auth and uri parameters
  - Note for Mac users
- Pre-trained source types
  - Automatically recognized source types
  - Pre-trained source types
- Configuration file list
- access_controls.conf
  - access_controls.conf.spec
  - access_controls.conf.example
- alert_actions.conf
  - alert_actions.conf.spec
  - alert_actions.conf.example
- auth.conf
  - auth.conf.spec
  - auth.conf.example
- deployment.conf
  - deployment.conf.spec
  - deployment.conf.example
- eventdiscoverer.conf
  - eventdiscoverer.conf.spec
  - eventdiscoverer.conf.example
- eventtypes.conf
  - eventtypes.conf.spec
  - eventtypes.conf.example
- field_actions.conf
  - field_actions.conf.spec
  - field_actions.conf.example
- indexes.conf
  - indexes.conf.spec
  - indexes.conf.example
- inputs.conf
  - inputs.conf.spec
  - inputs.conf.example
- literals.conf
  - literals.conf.spec
  - literals.conf.example
- metaevents.conf
  - metaevents.conf.spec
  - metaevents.conf.example
- outputs.conf
  - outputs.conf.spec
  - outputs.conf.example
- prefs.conf
  - prefs.conf.spec
  - prefs.conf.example
- props.conf
  - props.conf.spec
  - props.conf.example
- savedsearches.conf
  - savedsearches.conf.spec
  - savedsearches.conf.example
- segmenters.conf
  - segmenters.conf.spec
  - segmenters.conf.example
- server.conf
  - server.conf.spec
  - server.conf.example
- transforms.conf
  - transforms.conf.spec
  - transforms.conf.example
- user-seed.conf
  - user-seed.conf.spec
  - user-seed.conf.example
- web.conf
  - web.conf.spec
  - web.conf.example

This page last updated: 12/27/07 11:12pm

alert_actions.conf

Alert_actions.conf controls parameters for available alerting actions for scheduled searches.

alert_actions.conf.spec

# This file contains possible attributes and values for configuring saved search
# actions and alerting in alert_actions.conf.
#
# You can configure Splunk's global alerting actions by creating your own alert_actions.conf.

# There is an alert_actions.conf in $SPLUNK_HOME/etc/bundles/default/.  To set custom configurations,
# place an alert_actions.conf in $SPLUNK_HOME/etc/bundles/local/ or your own custom bundle directory.

# Glabal options

maxresults = <int>
        * Set the global maximum number of search results to be sent via alerts.
        * Defaults to 100.

hostname = <string>
        * Set the hostname that is displayed in the link sent in alerts.
        * This is useful when the machine sending the alerts does not have a FQDN.
        * Defaults to current hostname (set in Splunk) or localhost (if none is set).

# Email saved search actions
[<email saved search action>]

from = <string>
     * Email address where the alert originates.
     * Defaults to splunk@localhost

subject = <string>
     * Specify an alternate email subject.
     * Defaults to SplunkAlert-<splunkname>.

format = <string>
     * Specify the format of the text in the email.
      * Possible values include:  plain, html and csv.
     * The value for will also apply to any attachments as well as the text of an email.

inline = true | false | auto
        * Specify whether the search results will be contained in the body of the alert email.
        * Defaults to auto.

mailserver = <string>
        * The SMTP mail server to use when sending emails.
        * Defaults to localhost.

# RSS saved search actions

items_count = <number>
     * Threshold of how many rss feeds will be saved.
     * Defaults to 30.

alert_actions.conf.example

# EXAMPLE alert_action.conf
#
# You can use this example configuration file to customize your scheduled alerts.

[email]
# from email address
from=splunk@splunkalerts.com

# by default the subject is SplunkAlert-<splunk-name>, but
# you can change that here.
subject=your daily splunk

# specify the format of the text in the email with two
# possible values: html, plain, csv
format=html

[rss]
# threshold of rss feeds
items_count=30

Previous: access_controls.conf | Next: auth.conf

Comments

No comments have been submitted.

Log in to comment.