Documentation:
3.1.5
This page last updated: 12/28/07 01:12am
savedsearches.conf
savedsearches.conf stores saved searches and their associated schedules and alerts.
savedsearches.conf.spec
# Copyright (C) 2005-2007 Splunk Inc. All Rights Reserved. Version 3.0
#
# This file contains possible attribute/value pairs for Saved Splunk entries in a savedsearches.conf file.
# You can configure your own Saved Splunks by creating your own savedsearches.conf
# There is a savedsearches.conf in $SPLUNK_HOME/etc/bundles/default/. To set custom configurations,
# place a savedsearches.conf in $SPLUNK_HOME/etc/bundles/local/ or your own custom bundle directory.
# Here is an example savedsearches.conf stanza:
# [<Splunk name>]
# attribute1 = val1
# ...
# The possible attribute/value pairs for savedsearches.conf are:
[<stanza name>]
* Name of the Saved Splunk stanza.
query = <string>
* Actual query terms of the Saved Splunk.
* For example index::sampledata http NOT 500
isglobal = <integer>
* Toggle whether this Saved Splunk is shared with all users.
* If isglobal is set to 1, everyone can see/use this Saved Splunk.
* If set to 0, only the user who created the Saved Splunk can see it.
name = <string>
* Actual displayed name of the Saved Splunk.
* This will show in SplunkWeb, and you can search savedsplunk=<string>.
# Alerting options
counttype = <string>
* Set the type of count for alerting.
* Possible values: number of events, number of hosts, number of sources, number of sourcetypes.
relation = <string>
* How to compare against counttype.
* Possible values: greater than, less than, equal to, drops by, rises by.
quantity = <integer>
* Number to compare against the given counttype.
schedule = <string>
* Cron style schedule (i.e. */12 * * * *).
action_script = <string>
* Your search can trigger a shell script.
* Specify the name of the shell script to run.
* Place the script in $SPLUNK_HOME/bin/scripts.
* Command line arguments passed to the script are:
# $1 - number of events returned when search run
# $2 - searched terms saved at the time saved search was created
# $3 - fully qualified query string, the way query is run internally
# $4 - saved search name
# $5 - trigger reason for the alert
# $6 - encoded http link to the saved search results
# $7 - tags that have been saved against this saved search, if there are any.
# $8 - file where the results for this search are stored(contains raw results)
# value: file script name
action_rss = <integer>
* Toggle whether or not to create an RSS link.
* Possible values: 1/0 (1 to create, 0 to disable).
action_email = <string>
* Comma delimited list of email addresses to send alerts to.
sendresults = <integer>
* Whether or not to send the results along with the email/shell script.
* Possible values: 1/0 (1 to send, 0 to disable).
# Viewstate settings
# Previously set in prefs.conf; as of 3.1 can be set in savedsearches.conf.
viewstate.resultView = reportView
* The UI state for a saved search.
* Can be either normalView or reportView.
* normalView returns the SplunkWeb search interface.
* reportView returns the report interface.
viewstate.chart.plotMode = column
* Set the plot mode for a chart returned by a saved search.
* Only valid when viewstate.resultView == reportView
* Possible values: <CA>area, axis, bubble, column, donut, heatmap, legend, line, pie, scatte,
stackedarea, stackedcolumn.
viewstate.prefs.selectedKeys = source host sourcetype
* Space-delimited list of field to use.
* Always auto-generated, but can be edited after the fact to include new fields.
# The following are flash chart formatting options that are auto-generated.
# DO NOT EDIT.
viewstate.chart.formatting.dateTimeFormat = %m/%d/%Y %H:%M:%S
viewstate.chart.formatting.height = 300
viewstate.chart.formatting.padding.bottom = 10
viewstate.chart.formatting.padding.left = 0
viewstate.chart.formatting.padding.right = 0
viewstate.chart.formatting.padding.top = 20
viewstate.chart.formatting.textColor = 3355443
viewstate.chart.formatting.width = 852# Copyright (C) 2005-2007 Splunk Inc. All Rights Reserved. Version 3.0 # # This file contains example Saved Splunks and alerts. # To use one or more of these configurations, copy the configuration block into # savedsearches.conf in $SPLUNK_HOME/etc/bundles/local/ (or your own custom bundle). # # # The following example is a form search that is not shared with any users and does not run # on a schedule. [foo] action_rss = 0 disabled = false enableSched = 0 isGlobal = 0 query = $foo$ sendresults = 0 viewstate.prefs.selectedKeys = source host sourcetype viewstate.resultView = normalView # The following is an example search for all events, run on a schedule. It will send an # alert to two different email addresses. [all] disabled = 0 enableSched = 1 name = all query = * schedule = */12 * * * * action_email = email1@email.com, email2@email.com viewstate.prefs.selectedKeys = source host sourcetype viewstate.resultView = normalView ### Scripted searches # The following search calls a script and sends an RSS feed. It runs every minute, Monday through # Friday and alerts (eg sends RSS and triggers the script splunk.sh) every time the count of events # returned by the search rises by 100. [splunk_script] query = eventtype = attack OR eventtype = deny action_script = splunk.sh action_rss = 1 counttype = number of events relation = rises by quantity = 100 schedule = */60 * * * 1-5 sendresults = 1 isGlobal = 0 viewstate.prefs.selectedKeys = source host sourcetype viewstate.resultView = normalView
Comments
No comments have been submitted.