Databases Reference
In-Depth Information
•
Run a script
: This will run a script with the results of the search. Any script
must be installed by the administrator at
$SPLUNK_HOME/bin/scripts/
.
This is covered in
Chapter 12
,
Extending Splunk
.
•
Show triggered alerts in
Alert manager
: The alert manager is a listing of
alerts populated by saved searches. The alerts window is a convenient way
to group all alerts without filling your mailbox. Use the
Alerts
link at the
top of the window.
The next two options determine how many alerts to issue:
•
Execute actions on
: Your options are
All results
and
Each result
. In most
cases, you will only want one alert per search (
All results
), but you could
treat each event independently and issue an alert per event, in special cases.
You should be cautious with
Each result
, making sure to limit the number
of results returned, most likely by using reporting commands.
•
Throttling
: This allows you to determine how often the same alert will
be fired. You may want to search for a particular event every minute, but
you probably don't want an e-mail every minute. With throttling, you can
tell Splunk to only send you an e-mail every half hour even if the error
continues to happen every minute.
If you choose
Execute actions on each result
, another input box appears to let you
throttle against specific fields. For instance, if host A has an error, you may not want
to know about any other host A errors for another 30 minutes, but if host B has an
error in those 30 minutes, you would like to know immediately. Simply entering
host
in this field will compare the values of the
host
field.
The third screen simply lets you choose whether this search is available to other
users. Not all users will have permissions to make searches public.
Summary
In this chapter, we covered searching in Splunk and doing a few useful things
with those search results. There are lots of little tricks that we will touch upon
as we go forward.
In the next chapter, we will start using fields for more than searches; we'll build
tables and graphs, and then, we'll learn how to make our own fields.
Search WWH ::
Custom Search