I am looking into the ability to set a script to run when an alert is triggered. My Splunk GUI tells me that the option to trigger a command is deprecated. So I started looking into creating alert_actions.conf. Can this file be in /system/local on the forwarder and not on the DC or DS? Also if the alert is setup through the GUI would I be able to just reference the alert name in alert_actions.conf and configure the command trigger on the forwarder?
You can put the file on the forwarder, but it won't do any good. Forwarders do not process alerts - search heads do that.
You can put the file on the forwarder, but it won't do any good. Forwarders do not process alerts - search heads do that.
That's what I thought would be the case but wanted to confirm, thanks Rich.