I deploy alert_actions.conf to /etc/shcluster/apps/configuration/ folder on the Deployer.
Then I apply shcluster-bundle to the shc members. This puts alert_actions.conf in /etc/apps/configuration/default/alert_actions.conf on the shc members, in the same manner as we use it for authentication, outputs, and web conf files, however doesn't seem to take effect. When looking at python.log I continue to get failures saying connection refused connecting to localhost to send these messages which would leave me to believe some alert_actions.conf exists from default that has higher precedence than an app potentially.
using find here are the files which match alert_actions.conf. I would expect /opt/splunk/etc/apps/configuration/default/alert_actions.conf to take precedence here.
/opt/splunk/etc/apps/configuration/default.old.20150813-163109/alert_actions.conf
/opt/splunk/etc/apps/configuration/default.old.20150813-155352/alert_actions.conf
/opt/splunk/etc/apps/configuration/default.old.20150813-163835/alert_actions.conf
/opt/splunk/etc/apps/configuration/default/alert_actions.conf
/opt/splunk/etc/system/default/alert_actions.conf
I then take a look using btool to determine what's getting used for alert_actions and the following appears:
splunk cmd btool alert_actions list
[default]
hostname =
maxresults = 10000
maxtime = 5m
track_alert = 0
ttl = 10p
[email]
auth_password =
auth_username =
bcc =
cc =
command = $action.email.preprocess_results{default=""}$ | sendemail "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"
footer.text = If you believe you've received this email in error, please see your Splunk administrator.
splunk > the engine for machine data
format = table
from = SplunkEmail@mydomain.com
hostname = splunksearch.mydomain.com
include.results_link = 1
include.search = 0
include.trigger = 0
include.trigger_time = 0
include.view_link = 1
inline = 0
mailserver = mailrelay.mydomain.com
maxresults = 10000
maxtime = 5m
message.alert = The alert condition for '$name$' was triggered.
message.report = The scheduled report '$name$' has run.
pdfview =
preprocess_results =
priority = 3
reportCIDFontList = gb cns jp kor
reportIncludeSplunkLogo = 1
reportPaperOrientation = portrait
reportPaperSize = letter
reportServerEnabled = false
reportServerURL =
sendcsv = 0
sendpdf = 0
sendresults = 0
subject = Splunk Alert: $name$
subject.alert = Splunk Alert: $name$
subject.report = Splunk Report: $name$
to =
track_alert = 1
ttl = 86400
useNSSubject = 0
use_ssl = 0
use_tls = 0
width_sort_columns = 1
[populate_lookup]
command = copyresults dest="$action.populate_lookup.dest$" sid="$search_id$"
dest =
hostname =
maxresults = 10000
maxtime = 5m
track_alert = 0
ttl = 120
[rss]
command = createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger: $name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"
hostname =
maxresults = 10000
maxtime = 1m
track_alert = 0
ttl = 86400
[script]
command = runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$" "Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$" maxtime="$action.script.maxtime{default=5m}$"
filename =
hostname =
maxresults = 10000
maxtime = 5m
track_alert = 1
ttl = 600
[summary_index]
name = summary
command = summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$" file="$name_hash$$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\"$VAL\\", key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.))$)(.)"}$"
hostname =
inline = 1
maxresults = 10000
maxtime = 5m
track_alert = 0
ttl = 120
... View more