Alerting

alert_actions.conf on Splunk Forwarder

Regleston
New Member

I am looking into the ability to set a script to run when an alert is triggered. My Splunk GUI tells me that the option to trigger a command is deprecated. So I started looking into creating alert_actions.conf. Can this file be in /system/local on the forwarder and not on the DC or DS? Also if the alert is setup through the GUI would I be able to just reference the alert name in alert_actions.conf and configure the command trigger on the forwarder?

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You can put the file on the forwarder, but it won't do any good. Forwarders do not process alerts - search heads do that.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can put the file on the forwarder, but it won't do any good. Forwarders do not process alerts - search heads do that.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Regleston
New Member

That's what I thought would be the case but wanted to confirm, thanks Rich.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...