You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

200 lines
7.6 KiB

5 months ago
# Version 9.2.2.20240415
#
# This file contains possible attribute/value pairs for configuring workflow
# actions in Splunk.
#
# There is a workflow_actions.conf in $SPLUNK_HOME/etc/apps/search/default/.
# To set custom configurations, place a workflow_actions.conf in either
# $SPLUNK_HOME/etc/system/local/ or add a workflow_actions.conf file to your
# app's local/ directory. For examples, see workflow_actions.conf.example.
# You must restart Splunk to enable configurations, unless editing them
# through the Splunk manager.
#
# To learn more about configuration files (including precedence) please see
# the documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
# GLOBAL SETTINGS
# Use the [default] stanza to define any global settings.
# * You can also define global settings outside of any stanza, at the top
# of the file.
# * Each conf file should have at most one default stanza. If there are
# multiple default stanzas, attributes are combined. In the case of
# multiple definitions of the same attribute, the last definition in the
# file wins.
# * If an attribute is defined at both the global level and in a specific
# stanza, the value in the specific stanza takes precedence.
############################################################################
# General required settings:
# These apply to all workflow action types.
############################################################################
type = <string>
* The type of the workflow action.
* If not set, the Splunk platform skips this workflow action.
label = <string>
* The label to display in the workflow action menu.
* If not set, the Splunk platform skips this workflow action.
############################################################################
# General optional settings:
# These settings are not required but are available for all workflow
# actions.
############################################################################
fields = <comma or space separated list>
* The fields required to be present on the event in order for the workflow
action to be applied.
* When "display_location" is set to "both" or "field_menu", the workflow
action will be applied to the menu's corresponding to the specified
fields.
* If fields is undefined or set to *, the workflow action is applied to all
field menus.
* If the * character is used in a field name, it is assumed to act as a
"globber". For example host* would match the fields hostname, hostip, etc.
* Acceptable values are any valid field name, any field name including the *
character, or * (e.g. *_ip).
* Default: *
eventtypes = <comma or space separated list>
* The eventtypes required to be present on the event in order for the
workflow action to be applied.
* Acceptable values are any valid eventtype name, or any eventtype name plus
the * character (e.g. host*).
display_location = <string>
* Dictates whether to display the workflow action in the event menu, the
field menus or in both locations.
* Accepts field_menu, event_menu, or both.
* Default: both.
disabled = [True | False]
* Dictates whether the workflow action is currently disabled
* Default: False
############################################################################
# Using field names to insert values into workflow action settings
############################################################################
# Several settings detailed below allow for the substitution of field values
# using a special variable syntax, where the field's name is enclosed in
# dollar signs. For example, $_raw$, $hostip$, etc.
#
# The settings, label, link.uri, link.postargs, and search.search_string all
# accept the value of any valid field to be substituted into the final
# string.
#
# For example, you might construct a Google search using an error message
# field called error_msg like so:
# link.uri = http://www.google.com/search?q=$error_msg$.
#
# Some special variables exist to make constructing the settings simpler.
$@field_name$
* Allows for the name of the current field being clicked on to be used in a
field action.
* Useful when constructing searches or links that apply to all fields.
* NOT AVAILABLE FOR EVENT MENUS
$@field_value$
* Allows for the value of the current field being clicked on to be used in a
field action.
* Useful when constructing searches or links that apply to all fields.
* NOT AVAILABLE FOR EVENT MENUS
$@sid$
* The sid of the current search job.
$@offset$
* The offset of the event being clicked on in the list of search events.
$@namespace$
* The name of the application from which the search was run.
$@latest_time$
* The latest time the event occurred. This is used to disambiguate similar
events from one another. It is not often available for all fields.
############################################################################
# Field action types
############################################################################
############################################################################
# Link type:
# Allows for the construction of GET and POST requests via links to external
# resources.
############################################################################
link.uri = <string>
* The URI for the resource to link to.
* Accepts field values in the form $<field name>$, (e.g $_raw$).
* All inserted values are URI encoded.
* Required
link.target = <string>
* Determines if clicking the link opens a new window, or redirects the
current window to the resource defined in link.uri.
* Accepts: "blank" (opens a new window), "self" (opens in the same window)
* Default: "blank"
link.method = <string>
* Determines if clicking the link should generate a GET request or a POST
request to the resource defined in link.uri.
* Accepts: "get" or "post".
* Default: "get".
link.postargs.<int>.<key/value> = <value>
* Only available when link.method = post.
* Defined as a list of key / value pairs like such that foo=bar becomes:
link.postargs.1.key = "foo"
link.postargs.1.value = "bar"
* Allows for a conf compatible method of defining multiple identical keys (e.g.):
link.postargs.1.key = "foo"
link.postargs.1.value = "bar"
link.postargs.2.key = "foo"
link.postargs.2.value = "boo"
...
* All values are html form encoded appropriately.
############################################################################
# Search type:
# Allows for the construction of a new search to run in a specified view.
############################################################################
search.search_string = <string>
* The search string to construct.
* Accepts field values in the form $<field name>$, (e.g. $_raw$).
* Does NOT attempt to determine if the inserted field values may break
quoting or other search language escaping.
* Required
search.app = <string>
* The name of the Splunk application in which to perform the constructed
search.
* By default this is set to the current app.
search.view = <string>
* The name of the view in which to preform the constructed search.
* By default this is set to the current view.
search.target = <string>
* Accepts: blank, self.
* Works in the same way as link.target. See link.target for more info.
search.earliest = <time>
* Accepts absolute and relative times (e.g. -10h).
* Determines the earliest time to search from.
search.latest = <time>
* Accepts absolute and relative times (e.g. -10h).
* Determines the latest time to search to.
search.preserve_timerange = <boolean>
* Ignored if either the search.earliest or search.latest values are set.
* When true, the time range from the original search which produced the
events list will be used.
* Default: false.

Powered by BW's shoe-string budget.