You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

229 lines
7.8 KiB

5 months ago
# Version 9.2.2.20240415
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file configures global saved search actions.
#
# The global maximum number of results to be emailed. Any alert level
# max-results greater than this number will be capped at this level.
#
maxresults=10000
# Set the hostname that is displayed in the link sent in alerts.
# The resulting link is "http://hostname:port/......."
# Can be any string, or empty to pick up the hostname automatically.
#
hostname=
# set the ttl of the artifacts to at 10 periods
ttl = 10p
# the maximum amount of time to spend running an action
maxtime = 5m
track_alert = 0
# Invoke modular alerting layer by default
command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$"
# Use CSV serialization for modular alerts by default.
forceCsvResults = auto
[email]
icon_path = mod_alert_icon_email.png
label = Send email
description = Send an email notification to specified recipients
# from email address (name only, host will be appended automatically from mailserver)
#
from=splunk
subject = Splunk Alert: $name$
subject.alert = Splunk Alert: $name$
subject.report = Splunk Report: $name$
useNSSubject = 0
# Specify the format of the results in the email as either:
# table, raw, csv.
#
format = table
# SMTP server sending out all alert emails
#
mailserver = localhost
use_ssl = 0
use_tls = 0
# username and password to be used to authenticate with the SMTP server
auth_username =
auth_password =
# Default paper size for PDFs
# Can be one of letter, legal, a2, a3, a4, a5
reportPaperSize = letter
# Paper orientation: portrait or landscape
reportPaperOrientation = portrait
# Integrated PDF rendering adds a Splunk logo to the corner of the rendered page
# Disable by setting this to 0 (false)
reportIncludeSplunkLogo = 1
# Integrated PDF rendering will load the following CID fonts in the given order
# if multiple fonts have a glyph for a given character code, then the glyph from the
# first font will be used
reportCIDFontList = gb cns jp kor
# Specify whether to attach results as a file
# or add them to the body of the email (inline)
# options: true (inline the results in the email), false (attach results
# as a file)
#
inline = 0
# Specify the file name of the attachment
# Supported tokens are [type,app,owner,name,time]
reportFileName = $name$-$time:%Y-%m-%d$
# Set the priority of the email as it appears in the email client.
# Values 5 - 1, map to Lowest, Low, Normal, High, Highest.
# Defaults to normal or 3.
priority = 3
preprocess_results =
track_alert = 1
to =
cc =
bcc =
message.report = The scheduled report '$name$' has run.
message.alert = The alert condition for '$name$' was triggered.
footer.text = If you believe you've received this email in error, please see your Splunk administrator.\
\
splunk>
include.results_link = 1
include.view_link = 1
include.search = 0
include.trigger = 0
include.trigger_time = 0
# Specify the content type of the email as html or plain.
# plain sends email as plain text
# html sends email as a multipart email that include both text and html.
#
content_type = html
sendresults = 0
sendpdf = 0
sendcsv = 0
sendpng = 0
allow_empty_attachment = 1
pdfview =
ttl = 86400
maxtime = 5m
width_sort_columns = 1
command = $action.email.preprocess_results{default=""}$ | sendemail "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"
# PDF related settings
# display header and footer by default
pdf.footer_enabled = 1
pdf.header_enabled = 1
# nothing will be displayed on the left side of header
pdf.header_left =
# description will be displayed on the center of header
pdf.header_center = description
# nothing will be displayed on the right side of header
pdf.header_right =
# logo will be displayed on the left side of footer
pdf.footer_left = logo
# dashboard/form will be displayed on the center of footer
pdf.footer_center = title
# timestamp and pagination will be displayed on the right side of footer
pdf.footer_right = timestamp,pagination
# Path to customize png logo, Splunk logo will be used if it's not set
pdf.logo_path =
# whether to render images in HTML
pdf.html_image_rendering = 1
# SSL settings
# The following provides modern TLS configuration that guarantees forward-
# secrecy and efficiency. This configuration drops support for old operating
# systems (e.g. Windows Server 2008 R2).
# To add support for Windows Server 2008 R2 set sslVersions to tls and add
# these ciphers to cipherSuite:
# ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:
# ECDHE-RSA-AES128-SHA
sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
allowedDomainList =
[rss]
ttl = 86400
maxtime = 1m
command = createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger: $name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"
# summary indexing into an Event index
[summary_index]
_name = summary
# run the summary index command during the original search
inline = 1
ttl = 120
# make sure the following keys are not added to marker (command, forceCsvResults, force_realtime_schedule, inline, maxresults, maxtime, ttl, track_alert, _*)
command = summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$" file="$name_hash$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|forceCsvResults|force_realtime_schedule|inline|maxresults|maxtime|python\\.version|ttl|track_alert|(?:_.*))$)(.*)"}$"
# summary indexing into a Metric index
[summary_metric_index]
_name = summary
inline = 1
ttl = 120
command = mcollect spool=t index="$action.summary_index._name{required=yes}$" file="$name_hash$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|forceCsvResults|force_realtime_schedule|inline|maxresults|maxtime|python\\.version|ttl|track_alert|(?:_.*))$)(.*)"}$" split=allnums $action.summary_index._metric_dims$
[script]
icon_path = mod_alert_icon_script.png
label = Run a script
description = Invoke a custom script
track_alert = 1
ttl = 600
maxtime = 5m
filename =
command = runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$" "Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$" maxtime="$action.script.maxtime{default=5m}$"
[populate_lookup]
ttl = 120
dest =
command = copyresults dest="$action.populate_lookup.dest$" sid="$search_id$"
[lookup]
label = Output results to lookup
icon_path = mod_alert_icon_lookup.png
description = Output the results of the search to a CSV lookup file
filename =
append = 0
command = outputlookup "$action.lookup.filename$" append=$action.lookup.append$
ttl = 2p

Powered by BW's shoe-string budget.