Splunk® Enterprise

Alerting Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Log events

Construct custom log events to index and search metadata. Log events are sent to your Splunk deployment for indexing. As with other alert actions, log events can be used alone or in addition to other alert actions for a given alert.

Authorization requirement

Using the log event alert action requires the edit_log_alert_event capability.

Tokens for log events

When you set up a log event alert action, populate event fields with plain text or tokens representing search, job, or server metadata. You can also use tokens to access the first search results set.

Tokens available for email notifications are also available for log events. For more information on using tokens with alert actions, see Use tokens in email notifications in this manual.

Set up a log event alert action

Here are the steps for setting up a custom log event alert action after building a search.

Prerequisites
To review token usage, see Use tokens in email notifications in this manual.

Steps

  1. You can configure the log event action when ceating a new alert or editing an existing alert's actions. Follow one of the options below.
    Option Steps
    Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed.
    Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit>Edit actions for an existing alert.
  2. The following steps are the same for saving new alerts or editing existing alerts.

  3. From the Add Actions menu, select Log event.
  4. Add the following event information to configure the alert action. Use plain text or tokens for search, job, or server metadata.
    • Event text
    • Source and sourcetype
    • Host
    • Destination index for the log event. The main index is the default destination. You can specify a different existing index.

    In a distributed environment, make sure your outputs.conf file is configured correctly, for example:
    [tcpout]
    defaultGroup = your_target_indexer
    indexAndForward = false
    and
    [indexAndForward]
    index=false 
    

    You must also define the destination index on both the search head and the indexers. For more information on configuring forwarding in outputs.conf, see Configure the universal forwarder using configuration files in the Splunk Universal Forwarder Manual.

  5. Click Save.
Last modified on 27 January, 2023
Output results to a CSV lookup   Monitor triggered alerts

This documentation applies to the following versions of Splunk® Enterprise: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters