Alerting

Can we customize Pagerduty alert with urgency?

GoJoker
New Member

Hey,

currently we have successfully integrated pagerduty in splunk which means whenever a splunk alert is triggered a pagerduty alert will be created and shown in our pagerduty service. Now we are looking for a way to customize the urgency. All the alerts have "High" urgency in pagerduty per default when the splunk integration creates these alerts and we want to specify that in the custom details here:

Screenshot 2023-03-30 at 15.05.17.png

Tried a few things with adding "urgency" to the json but without any success. Also the documentation is not referencing the urgency anywhere. Does anybody know how to do this?

Thanks

Labels (1)
Tags (1)
0 Karma

Gr0und_Z3r0
Contributor

hi @GoJoker 

Based on the documentation for PagerDuty alert creation, you can use the custom details section to set severity of the alert from Splunk. Urgencies in PagerDuty can be set based on this severity, you'll need to select "Dynamic notifications based on alert severity" option along with your custom assign and escalation policy. There is not configuration available in the current add-on to set these options, you'll have to set the severity in the custom details segment of the alert

Reference:

https://developer.pagerduty.com/docs/ZG9jOjExMDI5NTgx-send-an-alert-event

https://support.pagerduty.com/docs/configurable-service-settings#:~:text=PagerDuty%20uses%20the%20co....


~ If the above reply helps, a Karma upvote would be appreciated.

0 Karma

lambertg
Engager

Dynamic notifications based on severity is looking for severity in the root of the payload. The pagerduty adddon inserts the custom_details Json object into the payload and it will not get recognized. 

However, you can create an event orchestration that looks for severity in the custom_details object and set the severity based on the content of the severity field.

{
"client": "Splunk",
"client_url": "<<splunkurl>",
"contexts": null,
"description": "<<incident_descr>>",
"event_type": "trigger",
"incident_key": "<<incident_key>>",
"service_key": "<<service_key>>",
"details": {
"LastSuccessfulCall": "Friday Dec 08, 2023 04:41:58PM",
"active": "true",
"custom_details": {
"severity": "info"
},
"field1": "value1",
"field2": "value2"
}
}

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...