This is not current Splunk documentation.
Splunk 3.4.2 is the latest version. Only use this page with older Splunk 2.0.x.
« Previous  |   Table of Contents   |   Next »

Splunk User Manual (Splunk v2.0)

Saved Splunks and Live Splunks

Alerts (Splunk Professional)

If a Live Splunk's results trigger an alert there are four ways it can alert users: the Splunk Server home page, email, RSS and a shell script.

Home page

Whenever you hit your Splunk server's home page, it will display any Saved Splunks that have met their alert settings.

Email

If your Splunk Server host has outbound email enabled, Splunk can email an alert that looks like this.

From: livesplunk@splunk.enet.interfoo.net (Joe Admin)
Date: November 16, 2005 3:19:23 PM PST
To: admin-list@interfoo.net
Subject: alert if fewer than 10.


Live Splunk http://splunk.enet.interop.net:8000/?events?q=7%318989%32500%20m%69%6e%75t%65sago
%3a%3a%310%20doma%69%6e%3a%3ad%65fa%75%6ct%20 triggered with the result :

The Number of Events (0) was Less Than 10.

Splunk Name : calls home last 10 minutes
Query Terms : 7189892500 minutesago::10 index::default

Auto-generated by Splunk Professional

RSS

An RSS alert from a Live Splunk looks like this. The link value is a permalink URL to run the Live Splunk now on the server.

<?xml version="1.0"?>
<rss version="2.0">
    <channel>
        <title>test</title>
        <link>http://qa-fc4:8000/?events?q=meta%3a%3aall%20</link>
        <description>Live Splunk Feed for live splunk test</description>
        <item>
            <title>Query run from 0 To 1134079839</title>
            <link>http://qa-fc4:8000/?events?q=meta%3a%3aall%20%20starttimeu%3a%3a0%20endtimeu%3a%3a1134079839</link>
            <description> The Number of Events (1000) was Greater Than 1.</description>
            <pubDate>1134079840</pubDate>
        </item>
    </channel>
</rss>

The on-screen appearance of the alert will vary depending on your RSS reader, but generally will include the name of the Live Splunk, the time it was run, the rule which caused it to send an alert, and a link to run the splunk yourself.

You can also attach the results of the Live Splunk to the notice. If you use the report:: feature to create a report table, it will attach the report.

Shell Script

A Live Splunk can call an alert shell script that you specify in the interface. Splunk will pass five arguments to your script:

  • $1—A results summary in XML.
  • $2—The search terms for the Live Splunk.
  • $3—The fully qualified query string for the Live Splunk.
  • $4—The name of the Live Splunk.
  • $5—The reason the Live Splunk fired.
« Previous  |   Table of Contents   |   Next »

Comments

No comments have been submitted.

close

Flash required to play this video.

Click here to download the free Flash Player.

Description:

Permalink: