- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Custom Alert Action Arguments
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wrote a Python 3.7.3 script to interact with our paging system's web api. It takes three parameters from the alert's html UI: To, From, and Message. Inspecting the Job for the alert, I can see that the correct values are assigned to these parameters, however, we never receive a page. I believe that perhaps I am not reading them into the script correctly using sys.stdin.read() and parsing out the values. Any guidance would be appreciated.
Script: (constants declarations not included)
if __name__ == "__main__":
try:
# Get Arguments
payload = json.loads(sys.stdin.read())
payload = payload['configuration']
_to = payload['to']
_from = payload['from']
_message = payload['message']
# Start a request session
session = requests.Session()
# Get Access Token
auth = '%s:%s' % (CONSUMER_KEY, CONSUMER_SECRET)
encodedCred = str(base64.b64encode(bytes(auth, 'ascii')))[2:-1]
header = {'Content-Type': 'application/x-www-form-urlencoded', 'Authorization': 'Bearer ' + encodedCred}
body = "grant_type=client_credentials"
request = requests.Request('POST', TOKEN_URL, data=body, headers=header)
prepped = request.prepare()
response = session.send(prepped, verify=False)
if response.status_code != 200:
sys.exit(1)
prettyJSON = json.loads(response.text)
token = prettyJSON['access_token']
# Send Page
query_parameters = {'To': _to,
'From': _from,
'Message': _message
}
header = {"Authorization": "Bearer %s" % token, "Accept": "application/json"}
request = requests.Request('POST', PAGE_URL, data=query_parameters, headers=header)
prepped = request.prepare()
response = session.send(prepped, verify=False)
if response.status_code != 200:
sys.exit(1)
except Exception as ex:
sys.exit(1)
alert_actions.conf:
[ui]
is_visible = 1
label = Send a Page
[launcher]
author = sochsenbein
description = Send a page using the web api
version = 1.0
[install]
state = enabled
is_configured = 1
HTML:
<form class="form-horizontal form-complex">
<div class="control-group">
<label class="control-label" for="send_a_page_from">From </label>
<div class="controls">
<textarea name="action.send_a_page.param.from" id="send_a_page_from" placeholder="// your username here"></textarea>
</div>
</div>
<div class="control-group">
<label class="control-label" for="send_a_page_to">To </label>
<div class="controls">
<textarea name="action.send_a_page.param.to" id="send_a_page_to" placeholder="// comma separate usernames"></textarea>
</div>
</div>
<div class="control-group">
<label class="control-label" for="send_a_page_message">Message </label>
<div class="controls">
<textarea name="action.send_a_page.param.message" id="send_a_page_message" placeholder="// remember to keep the message short..."></textarea>
</div>
</div>
</form>
Documentation/References:
https://docs.splunk.com/Documentation/Splunk/7.2.6/AdvancedDev/CustomAlertConvertScripted
https://docs.splunk.com/Documentation/Splunk/7.2.6/AdvancedDev/ModAlertsCreate
https://answers.splunk.com/answers/442603/how-do-i-get-the-8-standard-alert-action-script-pa-1.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found that Splunk has its own symlink that points to Python 2.7, so after changing the code to work with Python 2.7, the scripts works fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found that Splunk has its own symlink that points to Python 2.7, so after changing the code to work with Python 2.7, the scripts works fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I just worked on a script that takes arguments. Here are the bits you need I believe:
payload = json.loads(sys.stdin.read())
config = payload['configuration']
_to = config.get('to')
_from = config.get('from')
_message = config.get('message')
Make sure you're importing the right Splunk libraries as well (not sure you need all these)
import sys, os
import splunk
import json
from urllib import urlencode
import urllib2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jnudell_2 the script works when ran from the command line. The imports I use are sys, requests, json, and base64 (Python 3.7.3). I compared that to another script we have that does work and it's only using sys, json, and urllib2. I am using those functions you listed, as well, minus the "get", I believe that's just Python 2. In 3 you can do var[key]. Do you know if Splunk logs errors for failed scripts? I looked through splunkd_stderr.log and splunkd_stdout.log but nothing referencing the script.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
