Alerting

alert_actions.conf on Splunk Forwarder

Regleston
New Member

I am looking into the ability to set a script to run when an alert is triggered. My Splunk GUI tells me that the option to trigger a command is deprecated. So I started looking into creating alert_actions.conf. Can this file be in /system/local on the forwarder and not on the DC or DS? Also if the alert is setup through the GUI would I be able to just reference the alert name in alert_actions.conf and configure the command trigger on the forwarder?

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You can put the file on the forwarder, but it won't do any good. Forwarders do not process alerts - search heads do that.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can put the file on the forwarder, but it won't do any good. Forwarders do not process alerts - search heads do that.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Regleston
New Member

That's what I thought would be the case but wanted to confirm, thanks Rich.

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...