You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
229 lines
7.8 KiB
229 lines
7.8 KiB
5 months ago
|
# Version 9.2.2.20240415
|
||
|
# DO NOT EDIT THIS FILE!
|
||
|
# Changes to default files will be lost on update and are difficult to
|
||
|
# manage and support.
|
||
|
#
|
||
|
# Please make any changes to system defaults by overriding them in
|
||
|
# apps or $SPLUNK_HOME/etc/system/local
|
||
|
# (See "Configuration file precedence" in the web documentation).
|
||
|
#
|
||
|
# To override a specific setting, copy the name of the stanza and
|
||
|
# setting to the file where you wish to override it.
|
||
|
#
|
||
|
# This file configures global saved search actions.
|
||
|
#
|
||
|
|
||
|
# The global maximum number of results to be emailed. Any alert level
|
||
|
# max-results greater than this number will be capped at this level.
|
||
|
#
|
||
|
maxresults=10000
|
||
|
|
||
|
# Set the hostname that is displayed in the link sent in alerts.
|
||
|
# The resulting link is "http://hostname:port/......."
|
||
|
# Can be any string, or empty to pick up the hostname automatically.
|
||
|
#
|
||
|
hostname=
|
||
|
|
||
|
|
||
|
# set the ttl of the artifacts to at 10 periods
|
||
|
ttl = 10p
|
||
|
|
||
|
# the maximum amount of time to spend running an action
|
||
|
maxtime = 5m
|
||
|
|
||
|
track_alert = 0
|
||
|
|
||
|
# Invoke modular alerting layer by default
|
||
|
command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$"
|
||
|
|
||
|
# Use CSV serialization for modular alerts by default.
|
||
|
forceCsvResults = auto
|
||
|
|
||
|
[email]
|
||
|
|
||
|
icon_path = mod_alert_icon_email.png
|
||
|
label = Send email
|
||
|
description = Send an email notification to specified recipients
|
||
|
|
||
|
# from email address (name only, host will be appended automatically from mailserver)
|
||
|
#
|
||
|
from=splunk
|
||
|
|
||
|
subject = Splunk Alert: $name$
|
||
|
subject.alert = Splunk Alert: $name$
|
||
|
subject.report = Splunk Report: $name$
|
||
|
useNSSubject = 0
|
||
|
|
||
|
# Specify the format of the results in the email as either:
|
||
|
# table, raw, csv.
|
||
|
#
|
||
|
format = table
|
||
|
|
||
|
# SMTP server sending out all alert emails
|
||
|
#
|
||
|
mailserver = localhost
|
||
|
|
||
|
use_ssl = 0
|
||
|
use_tls = 0
|
||
|
|
||
|
# username and password to be used to authenticate with the SMTP server
|
||
|
auth_username =
|
||
|
auth_password =
|
||
|
|
||
|
# Default paper size for PDFs
|
||
|
# Can be one of letter, legal, a2, a3, a4, a5
|
||
|
reportPaperSize = letter
|
||
|
|
||
|
# Paper orientation: portrait or landscape
|
||
|
reportPaperOrientation = portrait
|
||
|
|
||
|
# Integrated PDF rendering adds a Splunk logo to the corner of the rendered page
|
||
|
# Disable by setting this to 0 (false)
|
||
|
reportIncludeSplunkLogo = 1
|
||
|
|
||
|
# Integrated PDF rendering will load the following CID fonts in the given order
|
||
|
# if multiple fonts have a glyph for a given character code, then the glyph from the
|
||
|
# first font will be used
|
||
|
reportCIDFontList = gb cns jp kor
|
||
|
|
||
|
# Specify whether to attach results as a file
|
||
|
# or add them to the body of the email (inline)
|
||
|
# options: true (inline the results in the email), false (attach results
|
||
|
# as a file)
|
||
|
#
|
||
|
inline = 0
|
||
|
|
||
|
# Specify the file name of the attachment
|
||
|
# Supported tokens are [type,app,owner,name,time]
|
||
|
reportFileName = $name$-$time:%Y-%m-%d$
|
||
|
|
||
|
# Set the priority of the email as it appears in the email client.
|
||
|
# Values 5 - 1, map to Lowest, Low, Normal, High, Highest.
|
||
|
# Defaults to normal or 3.
|
||
|
priority = 3
|
||
|
|
||
|
preprocess_results =
|
||
|
|
||
|
track_alert = 1
|
||
|
to =
|
||
|
cc =
|
||
|
bcc =
|
||
|
message.report = The scheduled report '$name$' has run.
|
||
|
message.alert = The alert condition for '$name$' was triggered.
|
||
|
|
||
|
footer.text = If you believe you've received this email in error, please see your Splunk administrator.\
|
||
|
\
|
||
|
splunk>
|
||
|
|
||
|
include.results_link = 1
|
||
|
include.view_link = 1
|
||
|
include.search = 0
|
||
|
include.trigger = 0
|
||
|
include.trigger_time = 0
|
||
|
|
||
|
# Specify the content type of the email as html or plain.
|
||
|
# plain sends email as plain text
|
||
|
# html sends email as a multipart email that include both text and html.
|
||
|
#
|
||
|
content_type = html
|
||
|
|
||
|
sendresults = 0
|
||
|
sendpdf = 0
|
||
|
sendcsv = 0
|
||
|
sendpng = 0
|
||
|
allow_empty_attachment = 1
|
||
|
pdfview =
|
||
|
ttl = 86400
|
||
|
maxtime = 5m
|
||
|
width_sort_columns = 1
|
||
|
command = $action.email.preprocess_results{default=""}$ | sendemail "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"
|
||
|
|
||
|
# PDF related settings
|
||
|
|
||
|
# display header and footer by default
|
||
|
pdf.footer_enabled = 1
|
||
|
pdf.header_enabled = 1
|
||
|
|
||
|
# nothing will be displayed on the left side of header
|
||
|
pdf.header_left =
|
||
|
|
||
|
# description will be displayed on the center of header
|
||
|
pdf.header_center = description
|
||
|
|
||
|
# nothing will be displayed on the right side of header
|
||
|
pdf.header_right =
|
||
|
|
||
|
# logo will be displayed on the left side of footer
|
||
|
pdf.footer_left = logo
|
||
|
|
||
|
# dashboard/form will be displayed on the center of footer
|
||
|
pdf.footer_center = title
|
||
|
|
||
|
# timestamp and pagination will be displayed on the right side of footer
|
||
|
pdf.footer_right = timestamp,pagination
|
||
|
|
||
|
# Path to customize png logo, Splunk logo will be used if it's not set
|
||
|
pdf.logo_path =
|
||
|
|
||
|
# whether to render images in HTML
|
||
|
pdf.html_image_rendering = 1
|
||
|
|
||
|
# SSL settings
|
||
|
# The following provides modern TLS configuration that guarantees forward-
|
||
|
# secrecy and efficiency. This configuration drops support for old operating
|
||
|
# systems (e.g. Windows Server 2008 R2).
|
||
|
# To add support for Windows Server 2008 R2 set sslVersions to tls and add
|
||
|
# these ciphers to cipherSuite:
|
||
|
# ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:
|
||
|
# ECDHE-RSA-AES128-SHA
|
||
|
|
||
|
sslVersions = tls1.2
|
||
|
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||
|
|
||
|
allowedDomainList =
|
||
|
|
||
|
[rss]
|
||
|
ttl = 86400
|
||
|
maxtime = 1m
|
||
|
command = createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger: $name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"
|
||
|
|
||
|
# summary indexing into an Event index
|
||
|
[summary_index]
|
||
|
_name = summary
|
||
|
# run the summary index command during the original search
|
||
|
inline = 1
|
||
|
ttl = 120
|
||
|
# make sure the following keys are not added to marker (command, forceCsvResults, force_realtime_schedule, inline, maxresults, maxtime, ttl, track_alert, _*)
|
||
|
command = summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$" file="$name_hash$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|forceCsvResults|force_realtime_schedule|inline|maxresults|maxtime|python\\.version|ttl|track_alert|(?:_.*))$)(.*)"}$"
|
||
|
|
||
|
# summary indexing into a Metric index
|
||
|
[summary_metric_index]
|
||
|
_name = summary
|
||
|
inline = 1
|
||
|
ttl = 120
|
||
|
command = mcollect spool=t index="$action.summary_index._name{required=yes}$" file="$name_hash$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|forceCsvResults|force_realtime_schedule|inline|maxresults|maxtime|python\\.version|ttl|track_alert|(?:_.*))$)(.*)"}$" split=allnums $action.summary_index._metric_dims$
|
||
|
|
||
|
[script]
|
||
|
icon_path = mod_alert_icon_script.png
|
||
|
label = Run a script
|
||
|
description = Invoke a custom script
|
||
|
track_alert = 1
|
||
|
ttl = 600
|
||
|
maxtime = 5m
|
||
|
filename =
|
||
|
command = runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$" "Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$" maxtime="$action.script.maxtime{default=5m}$"
|
||
|
|
||
|
[populate_lookup]
|
||
|
ttl = 120
|
||
|
dest =
|
||
|
command = copyresults dest="$action.populate_lookup.dest$" sid="$search_id$"
|
||
|
|
||
|
[lookup]
|
||
|
label = Output results to lookup
|
||
|
icon_path = mod_alert_icon_lookup.png
|
||
|
description = Output the results of the search to a CSV lookup file
|
||
|
filename =
|
||
|
append = 0
|
||
|
command = outputlookup "$action.lookup.filename$" append=$action.lookup.append$
|
||
|
ttl = 2p
|