topic Re: How to add custom fields to the alert? in Alerting

How to add custom fields to the alert?

kkawatra — Tue, 02 Aug 2022 23:55:28 GMT

Hi,

We are looking to add a custom field to our alerts to BigPanda. Is there a way to add fields natively or a workaround done by any Splunk users?

Thanks,

Kay

Re: How to add custom fields to the alert?

gcusello — Wed, 03 Aug 2022 06:53:25 GMT

Hi @kkawatra,

your question is just a little vague!

In general, answer is yes.

Could you better describe your request?

are you speaking of fields from the search of from a lookup?
are you speaking of fixed fields?
are you speaking of adding custom fields to the results or to the message?

in other words, please share your search and better describe your request.

Ciao.

Giuseppe

Re: How to add custom fields to the alert?

kkawatra — Wed, 03 Aug 2022 21:55:10 GMT

Hi @gcusello,

Thank you for the response.

First of all I'm new to Splunk, so pardon my lack of knowledge.

Second, I want to say adding custom fields to the results

The idea is to send splunk alerts to BigPanda. But for BigPanda to accept those alerts and further move along to create ticket and attach any TSGs, its looking for very specific fields. So, I was wondering if we can send the payload with custom fields via webhook or we can send it over BigPanda integration(preferred).

Thanks,

Kay

Re: How to add custom fields to the alert?

ITWhisperer — Thu, 04 Aug 2022 06:44:38 GMT

An alert is triggered by conditions being satisfied by the results of a search - the search can contain additional fields (as @gcusello says) simply by using, for example, the eval command or lookup command.

Start by creating a search that produces the results you want in your alert.

Re: How to add custom fields to the alert?

gcusello — Thu, 04 Aug 2022 07:04:54 GMT

Hi @kkawatra,

as @ITWhisperer said, you have two ways to add custom fields to your search:

eval command, if you have few and fixed values to add,
lookup if you have many or variable values to add.

some sample to better understand:

if you have to add e.g. the name of the customer, you could add:

| eval customer="customer1"

in this way all the events will have this fixed field.

If you would e.g. add the location of a server taken from a lookup called perimeter.csv, you have to find a key (e.g. "host") and all the lookup command:

<your_search> | lookup perimeter.csv host OUTPUT location | table _time <all_your_fields> location

In additio, if you need to have fixed names for the fields, you could use the "rename" command.

If you aren't expert in SPL, you could follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial) that theaches you about SPL.

Ciao.

Giuseppe

Re: How to add custom fields to the alert?

Siddharth — Fri, 05 Aug 2022 13:30:56 GMT

No you can't do this by default for this you have to create your own custom alert app. I would recommend use this custom add-on app it will help you to create the alert addon

https://splunkbase.splunk.com/app/2962/

also have a look on this video it will help you

https://www.youtube.com/watch?v=UqJAc7rpFmQ&t=185s

Let me know if it helps

Re: How to add custom fields to the alert?

kkawatra — Fri, 05 Aug 2022 15:46:19 GMT

This worked, thanks @gcusello