Why is custom alert action not working?

tlsawyer — Fri, 14 Apr 2023 18:45:46 GMT

I'm new to writing apps for Splunk, so I'm trying something simple. A raw payload dump. I have the alert set to log the event and fire off my custom action when CPU usage >20%, and only once every 15 minutes. So i have a reliable trigger source. However, it never seems to launch my action and I can't for the life of me figure out why. I'm trying to get the code to write a line to one file when it launches, write debug to another, and write both json and raw to separate files so I can decide on parsing later. Any thoughts on what I'm doing wrong here?? I'm not even getting the line in the file to let me know it tried to run.

alert_actions.conf:

[NCPAServiceAlert]
is_custom = 1
label = NCPA Service Alert
description = Test Alert for NCPA Listener Service
icon_path = awesomesauce.PNG
payload_format = json
python.version = python3

NCPAServiceAlert.py:

import json
import sys
import logging
import time
import datetime

ts = time.time()
sttime = datetime.datetime.fromtimestamp(ts).strftime('%Y%m%d_%H:%M:%S - ')

didirun = "C:/Users/Public/debug/Did_I_Run.txt"
with open(didirun, "w+") as d:
d.write(sttime + " I ran. Can't say much about the rest though." + \n)

logging.basicConfig(filename='C:/Users/Public/debug/debug.txt', filemode='w' encoding='utf-8', level=logging.DEBUG)

class NCPAServiceAlert:
def __init__(self):
logging.debug()
self.params = [
#"configuration"
#"text"
]

def send_alert
logging.debug()
filejson = "C:/Users/Public/debug/alertdump.txt"
with open(filejson, "w+") as f:
payload = json.loads(sys.stdin.read())
f.write(payload)
fileraw = "C:/Users/Public/debug/generic_dump.txt"
with open(fileraw, "w+") as g:
payload = sys.stdin.read()
g.write(payload)

if __name__ == "__main__":
logging.debug()
if len(sys.argv) < 2 or sys.argv[1] != "--execute":
sys.stderr.write(FATAL EXCEPTION (expected --execute flag)\n)
sys.exit(1)
if not send_alert()
sys.exit(2)

except Exception as e:
sys.stderr.write(ERROR - Unexpected error %s\n % e)
sys.exit(3)

Re: Why is custom alert action not working?

richgalloway — Fri, 14 Apr 2023 20:57:52 GMT

The alert_actions.conf stanza is missing alert.execute.cmd = <file in bin directory> so Splunk knows what code to run when the alert triggers.

Re: Why is custom alert action not working?

tlsawyer — Mon, 17 Apr 2023 17:48:05 GMT

Awesome, I'll try adding that. I didn't see that in other apps but I'll give her a try. Thanks man.

Re: Why is custom alert action not working?

tlsawyer — Mon, 17 Apr 2023 21:25:59 GMT

Hmm, still not working. I'm trying to find the logs and see if there is anything that would help figure out the cause.

Re: Why is custom alert action not working?

tlsawyer — Mon, 24 Apr 2023 17:21:06 GMT

Well I found the problem. The script runs when I comment out the execute flag check section. Might be a bit of a problem, as it seems this is supposed to be in there for live apps.

topic Re: Why is custom alert action not working? in Alerting

Why is custom alert action not working?

Re: Why is custom alert action not working?

Re: Why is custom alert action not working?

Re: Why is custom alert action not working?

Re: Why is custom alert action not working?