Alerting

Can you add your own custom alert action?

Super Champion

There are a number of existing alerting conditions provided out of the box, such as populate_lookup, rss, email, and so on. I noticed that these are all defined in alert_actions.conf, so that begs the question: Is it possible to simply add your own custom alerting action by adding an appropriate config entry?

It looks like you would have to write your own custom search command to correspond to a new alert action, but that's not too difficult.

Does Splunk intended this as a feature, or is is merely to be used internally for Splunk's own stuff?

What are the permissions considerations? Is it basically who ever can execute the associated search command can also use the alerting action that calls it?

Super Champion

Yes, you can create your own custom alert action. I've published an app on splunk base, which can serve as an example:

http://www.splunkbase.com/apps/All/4.x/Add-On/app:RunSavedSearch+alert+action

0 Karma

Splunk Employee
Splunk Employee

Maybe you could, but why would you? You can already pipe to a script or call a script based on an alert. You don't get any new UI or anything, just more files to do the same thing.

Super Champion
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!