Savedsearches

search = <string>

The actual search string for the saved search.
For example, 'search = index::sampledata http NOT 500'.
Your search can include macro searches for substitution.
To learn more about creating a macro search, search the documentation for
"macro search."
Multi-line search strings currently have some limitations. For example use
with the search command '|savedsearch' does not currently work with multi-line
search strings.
No default.

実行するサーチ文を入力する。
サーチ文をconf内で改行する際は、行末に""を入力する。

cron_schedule = <cron string>

The cron schedule that is used to run this search.
For example: */5 * * * * causes the search to run every 5 minutes.
You can use standard cron notation to define your scheduled search interval.
In particular, cron can accept this type of notation: 00,20,40 * * * *, which
runs the search every hour at hh:00, hh:20, hh:40.
A cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43.
You should schedule your searches so that they are staggered over time.
This reduces system load. Running all of the saved searches every 20 minutes
(*/20) means all of the searches would launch at hh:00 (20, 40) and might
slow your system every 20 minutes.
The Splunk cron implementation does not currently support names of
months or days.
No default.

実行時間をcron形式で入力する。

realtime_schedule = [0|1]

Controls the way the scheduler computes the next run time of a
scheduled search.
If set to 1, the scheduler determines the next scheduled search run time
based on the current time.
- NOTE: When set to 1, the scheduler might skip some execution periods
  to make sure that the scheduler is executing the searches that are running
  over the most recent time range.
If set to 0, the scheduler determines the next scheduled search run time
based on the last run time for the search. This is called continuous
scheduling.
- NOTE: When set to 0, the scheduler never skips scheduled execution periods.
  However, the execution of the saved search might fall behind
  depending on the scheduler's load.
- Use continuous scheduling whenever you enable the 'summary index' option.
The scheduler tries to run searches that have 'realtime_schedule' set to 1
before it runs searches that have continuous scheduling
(realtime_schedule = 0).
Default: 1

0に設定するとアラートをスキップしないが実行が遅れる場合がある。
1に設定するとアラートはスキップされる。

schedule_priority = [ default | higher | highest ]

Raises the scheduling priority of a search:
- When set to "default", specifies that there is no increase to the scheduling
  priority.
- When set to "higher", specifies that the scheduling priority is higher than
  other searches of the same scheduling tier. While there are four tiers of
  priority for scheduled searches, only the following are affected by this
  setting:
  1. Real-Time-Scheduled (realtime_schedule=1).
  2. Continuous-Scheduled (realtime_schedule=0).
- When set to "highest", specifies that the scheduling priority is higher
  than other searches regardless of scheduling tier. However,
  real-time-scheduled searches with 'schedule_priority = highest' always have
  priority over continuous scheduled searches with 'schedule_priority = highest'.
- The high-to-low order is:
  RTSS(H) > CSS(H) > RTSS(h) > RTSS(d) > CSS(h) > CSS(d)
  Where:
  RTSS = real-time-scheduled search
  CSS = continuous-scheduled search
  d = default
  h = higher
  H = highest
The scheduler honors a non-default priority only when the search owner has
the 'edit_search_schedule_priority' capability.
- A non-default priority is mutually exclusive with a non-zero 'schedule_window'
  (see below). If a user specifies both for a scheduled search, the scheduler
  honors the priority only.
- However, if a user specifies both settings for a search, but the search owner
  does not have the 'edit_search_scheduler_priority' capability, then the
  scheduler ignores the priority setting and honors the 'schedule_window'.
CAUTION: Having too many searches with a non-default priority will impede the
ability of the scheduler to minimize search starvation. Use this setting
only for mission-critical searches.
Default: default

アラートに優先度を設定する。
必要なものにだけ、設定しないと効果が低い。

counttype = [ number of events | number of hosts | number of sources | custom | always ]

Set the type of count for alerting.
Used with the 'relation' and 'quantity' settings.
NOTE: If you specify "always," do not set 'relation' or 'quantity'.
Default: always

"relation"、"quantity"とセットで用いる。

relation = [ greater than | less than | equal to | not equal to | drops by | rises by ]

Specifies how to compare against 'counttype'.
Default: empty string

"counttype"、"quantity"とセットで用いる。

quantity = <integer>

Specifies a value for the 'counttype' and 'relation', to determine the condition
under which an alert is triggered by a saved search.
Think of it as a sentence constructed like this: <counttype> <relation> <quantity>.
- For example, "number of events [is] greater than 10" sends an alert when the
  count of events is larger than by 10.
- For example, "number of events drops by 10%" sends an alert when the count of
  events drops by 10%.
Default: empty string

"counttype"、"relation"とセットで用いる。
イメージとしては、<counttype> <relation> <quantity>.
アラートの発砲条件として、設定する。

action.summary_index = 0 | 1

Enables or disables the summary index action.
Specify 1 to enable, 0 to disable.
Default: 0

アラートの結果をサマリインデックスに出力する。

action.summary_index.inline = <boolean>

Specify whether to run the summary indexing action as part of the
scheduled search.
NOTE: This option is considered only if the summary index action is enabled
and is always run (in other words, if 'counttype = always').
Default: 1 (true)

アラートの結果を表示する際に、サーチ文にsummaryindexコマンドを追加して表示する。

action.summary_index._name = <index>

Specifies the name of the summary index where the results of the scheduled
search are saved.
Default: summary

出力するサマリインデックスを指定する。

dispatch.earliest_time = <time-str>

Specifies the earliest time for this search. Can be a relative or absolute
time.
If this value is an absolute time, use the 'dispatch.time_format' setting
to format the value.
Default: empty string

サーチの検索範囲を決定する。
_timeの最古の時間を指定する。

dispatch.latest_time = <time-str>

Specifies the latest time for this saved search. Can be a relative or
absolute time.
If this value is an absolute time, use the 'dispatch.time_format' setting
to format the value.
Default: empty string

サーチの検索範囲を決定する。
_timeの最新の時間を指定する。

dispatch.index_earliest= <time-str>

Specifies the earliest index time for this search. Can be a relative or
absolute time.
If this value is an absolute time, use the 'dispatch.time_format setting
to format the value.
Defaults to empty string.

サーチの検索範囲を決定する。
_index_timeの最古の時間を指定する。

dispatch.index_latest= <time-str>

Specifies the latest index time for this saved search. Can be a relative or
absolute time.
If this value is an absolute time, use the 'dispatch.time_format' setting
to format the value.
Default: empty string

サーチの検索範囲を決定する。
_index_timeの最新の時間を指定する。

alert.suppress = 0 | 1

Specifies whether alert suppression is enabled for this scheduled search.
Default: 0 (false)

アラートを抑制するかどうか決定する。

alert.suppress.period = <time-specifier>

Sets the suppression period. Use [number][time-unit] to specify a time.
For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes.
Honored if and only if 'alert.suppress = 1'.
Default: empty string

アラートの抑制期間を設定する。

alert.digest_mode = <boolean>

Specifies whether Splunk applies the alert actions to the entire result set
or to each individual result.
Default: true

アラートによる出力結果をまとめて出力するか、個別に出力するかを設定する。

alert.track = <boolean> | auto

Specifies whether to track the actions triggered by this scheduled search.
- auto - determine whether to track or not based on the tracking setting of
  each action, do not track scheduled searches that always trigger actions.
- true - force alert tracking.
- false - disable alert tracking for this search.
Default: auto

アラートを追跡するかどうか設定する。
この設定が auto の場合、counttype の設定値が always の時は追跡しない。

alert.expires = <time-specifier>

Sets the period of time to show the alert on the Triggered Alerts page.
- Use [number][time-unit] to specify a time.
- For example: 60s = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour etc
This setting is only honored when 'alert.track = true' (when the "Add to
Triggered Alerts" action is selected for the alert in Splunk Web).
This property is valid until splunkd restarts. Restart clears the listing of
triggered alerts.
Default: 24h

Triggered Alertsとして記録するアラートの期間を設定する。
※この機能を適用するためにはSplunkdの再起動が必要である。

search = <string>​

cron_schedule = <cron string>​

realtime_schedule = [0|1]​

schedule_priority = [ default | higher | highest ]​

counttype = [ number of events | number of hosts | number of sources | custom | always ]​

relation = [ greater than | less than | equal to | not equal to | drops by | rises by ]​

quantity = <integer>​

action.summary_index = 0 | 1​

action.summary_index.inline = <boolean>​

action.summary_index._name = <index>​

dispatch.earliest_time = <time-str>​

dispatch.latest_time = <time-str>​

dispatch.index_earliest= <time-str>​

dispatch.index_latest= <time-str>​

alert.suppress = 0 | 1​

alert.suppress.period = <time-specifier>​

alert.digest_mode = <boolean>​

alert.track = <boolean> | auto​

alert.expires = <time-specifier>​