#   Version 9.2.2.20240415
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local  
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file configures global saved search actions.
#

# The global maximum number of results to be emailed. Any alert level  
# max-results greater than this number will be capped at this level.
#
maxresults=10000

# Set the hostname that is displayed in the link sent in alerts.
# The resulting link is "http://hostname:port/......."
# Can be any string, or empty to pick up the hostname automatically.
#
hostname=


# set the ttl of the artifacts to at 10 periods
ttl = 10p

# the maximum amount of time to spend running an action
maxtime = 5m

track_alert = 0

# Invoke modular alerting layer by default
command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$"

# Use CSV serialization for modular alerts by default.
forceCsvResults = auto

[email]

icon_path = mod_alert_icon_email.png
label = Send email
description = Send an email notification to specified recipients

# from email address (name only, host will be appended automatically from mailserver)
#
from=splunk

subject 		= Splunk Alert: $name$
subject.alert 	= Splunk Alert: $name$
subject.report 	= Splunk Report: $name$
useNSSubject	= 0

# Specify the format of the results in the email as either: 
# table, raw, csv.
#
format = table

# SMTP server sending out all alert emails
#
mailserver = localhost

use_ssl    = 0
use_tls    = 0

# username and password to be used to authenticate with the SMTP server
auth_username   = 
auth_password   = 

# Default paper size for PDFs
# Can be one of letter, legal, a2, a3, a4, a5
reportPaperSize = letter

# Paper orientation: portrait or landscape
reportPaperOrientation = portrait

# Integrated PDF rendering adds a Splunk logo to the corner of the rendered page
# Disable by setting this to 0 (false)
reportIncludeSplunkLogo = 1

# Integrated PDF rendering will load the following CID fonts in the given order
# if multiple fonts have a glyph for a given character code, then the glyph from the 
# first font will be used
reportCIDFontList = gb cns jp kor

# Specify whether to attach results as a file 
# or add them to the body of the email (inline)
# options:  true (inline the results in the email), false (attach results 
# as a file)
#
inline = 0

# Specify the file name of the attachment
# Supported tokens are [type,app,owner,name,time]
reportFileName = $name$-$time:%Y-%m-%d$

# Set the priority of the email as it appears in the email client. 
# Values 5 - 1, map to Lowest, Low, Normal, High, Highest.
# Defaults to normal or 3.
priority             = 3

preprocess_results = 

track_alert          = 1
to                   =
cc                   =
bcc                  =
message.report       = The scheduled report '$name$' has run.
message.alert        = The alert condition for '$name$' was triggered.

footer.text = If you believe you've received this email in error, please see your Splunk administrator.\
\
splunk>

include.results_link = 1 
include.view_link    = 1
include.search       = 0
include.trigger      = 0
include.trigger_time = 0

# Specify the content type of the email as html or plain.
# plain sends email as plain text
# html sends email as a multipart email that include both text and html.
#
content_type	        = html

sendresults             = 0
sendpdf                 = 0
sendcsv                 = 0
sendpng                 = 0
allow_empty_attachment  = 1
pdfview                 =
ttl                     = 86400
maxtime                 = 5m
width_sort_columns      = 1
command     = $action.email.preprocess_results{default=""}$ | sendemail "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

# PDF related settings

# display header and footer by default
pdf.footer_enabled = 1
pdf.header_enabled = 1

# nothing will be displayed on the left side of header
pdf.header_left =

# description will be displayed on the center of header
pdf.header_center = description

# nothing will be displayed on the right side of header
pdf.header_right =

# logo will be displayed on the left side of footer
pdf.footer_left = logo

# dashboard/form will be displayed on the center of footer
pdf.footer_center = title

# timestamp and pagination will be displayed on the right side of footer
pdf.footer_right = timestamp,pagination

# Path to customize png logo, Splunk logo will be used if it's not set
pdf.logo_path =

# whether to render images in HTML
pdf.html_image_rendering = 1

# SSL settings
# The following provides modern TLS configuration that guarantees forward-
# secrecy and efficiency. This configuration drops support for old operating
# systems (e.g. Windows Server 2008 R2).
# To add support for Windows Server 2008 R2 set sslVersions to tls and add
# these ciphers to cipherSuite:
#     ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:
#     ECDHE-RSA-AES128-SHA

sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

allowedDomainList =

[rss]
ttl     = 86400
maxtime = 1m
command = createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger: $name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"

# summary indexing into an Event index
[summary_index]
_name   = summary
# run the summary index command during the original search
inline  = 1
ttl     = 120
# make sure the following keys are not added to marker (command, forceCsvResults, force_realtime_schedule, inline, maxresults, maxtime, ttl, track_alert, _*)
command = summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$" file="$name_hash$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|forceCsvResults|force_realtime_schedule|inline|maxresults|maxtime|python\\.version|ttl|track_alert|(?:_.*))$)(.*)"}$"

# summary indexing into a Metric index
[summary_metric_index]
_name   = summary
inline  = 1
ttl     = 120
command = mcollect spool=t index="$action.summary_index._name{required=yes}$" file="$name_hash$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|forceCsvResults|force_realtime_schedule|inline|maxresults|maxtime|python\\.version|ttl|track_alert|(?:_.*))$)(.*)"}$" split=allnums $action.summary_index._metric_dims$

[script]
icon_path = mod_alert_icon_script.png
label = Run a script
description = Invoke a custom script
track_alert = 1
ttl         = 600
maxtime     = 5m
filename    = 
command     = runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$" "Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$" maxtime="$action.script.maxtime{default=5m}$"

[populate_lookup]
ttl     = 120
dest    = 
command = copyresults dest="$action.populate_lookup.dest$"  sid="$search_id$"

[lookup]
label = Output results to lookup
icon_path = mod_alert_icon_lookup.png
description = Output the results of the search to a CSV lookup file
filename =
append = 0
command = outputlookup "$action.lookup.filename$" append=$action.lookup.append$
ttl     = 2p