![]() ![]() TOKENIZER = – indicates a field value is part of a larger token (pertinent to multivalue fields) Label = – sets the label in the UI for custom alert actionsĭescription = – sets the description in the UI for custom alert actions FIELDS.CONFįnf provides settings for Splunk to handle indexed and extracted fields, multivalue fields, and how search time handles field values.Īgain, the stanza dictates settings for all fields that can be overwritten by individual field stanzas.įor local settings, the stanza name may be the field name itself, or a wildcard expression for a certain sourcetype formatted like this: sourcetype:::: Maxtime = – the allowed amount of time for an alert to execute before it’s abortedĬommand = – the search command that executes the action Hostname = – the hostname in the URL sent through alerts Maxresults = – the max number of search results sent through alerts Here are some settings commonly configured in : The stanza dictates settings for all alert_actions within the conf file but can be overridden by individual alert_action stanzas. Different options exist for configuring alerts to send emails, RSS notifications, scripts, scheduled searches, and custom alert actions. Here are some common conf files found in the app/user context in Splunk: ALERT_ACTIONS.CONFĪlert_nf provides settings for saved search actions. For example, a file that starts with the letter “Z” has a higher precedence than a file with the letter “A”. For app/user context, Splunk uses reverse-lexicographical order for priority. That is followed by settings in any other app contexts, and finally settings in the system directories that would apply if not overridden by a higher precedence file.Īpp directory names can determine additional precedence. Then, any settings set locally within the running app (in this case, search) would take precedence, followed by the app’s default settings. ![]() The first settings to take precedence would be the ones set in the admin user directory, as they would have any options set per user. /opt/spunk/etc/apps/TA-splunksearches/local/nf./opt/splunk/etc/apps/search/default/nf./opt/splunk/etc/users/admin/search/local/nf.System directories (/opt/splunk/etc/system/) – local, then defaultįor example, if I had nf files stored within:. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |