Alerting

Can you add your own custom alert action?

Lowell
Super Champion

There are a number of existing alerting conditions provided out of the box, such as populate_lookup, rss, email, and so on. I noticed that these are all defined in alert_actions.conf, so that begs the question: Is it possible to simply add your own custom alerting action by adding an appropriate config entry?

It looks like you would have to write your own custom search command to correspond to a new alert action, but that's not too difficult.

Does Splunk intended this as a feature, or is is merely to be used internally for Splunk's own stuff?

What are the permissions considerations? Is it basically who ever can execute the associated search command can also use the alerting action that calls it?

Lowell
Super Champion

Yes, you can create your own custom alert action. I've published an app on splunk base, which can serve as an example:

http://www.splunkbase.com/apps/All/4.x/Add-On/app:RunSavedSearch+alert+action

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Maybe you could, but why would you? You can already pipe to a script or call a script based on an alert. You don't get any new UI or anything, just more files to do the same thing.

Lowell
Super Champion
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...