Alerting

Custom Alert Action ui validation for empty values

gavins_k1
Path Finder

Hi all,

I am trying to create a custom alert action, trying to add any validation to the ui fields doesnt work.
I am trying to test to see if a field has been left empty, my restmap.conf contains:
[validation:savedsearch]
action.myaction.param.title = validate( len(trim('action.myaction.param.title')) > 0), "Title cannot be empty")

I have also tried
action.myaction.param.title = validate( isnotnull('action.myaction.param.title'), "Title cannot be empty")

and
action.myaction.param.title = validate( match('action.myaction.param.title',"^\w+"), "Title cannot be empty")

and a bunch of others that I thought would have been false for an empty ui field, and therefore trigger the error message. The alert was able to be saved regardless if the ui field had any text in it or not.

Does anyone have any ideas of how to check for an empty ui field in an a custom alert action?

thanks

Tags (1)
0 Karma
1 Solution

harsmarvania57
Ultra Champion

Can you please try below restmap.conf ? In below example I assume that your alert_actions.conf contains stanza with heading [myaction]

[validation:savedsearch]
action.myaction = case('action.myaction' != "1", null(), 'action.myaction.param.title' == "action.myaction.param.title" OR 'action.myaction.param.title' == "", "Title cannot be empty",  1==1, null())

View solution in original post

harsmarvania57
Ultra Champion

Can you please try below restmap.conf ? In below example I assume that your alert_actions.conf contains stanza with heading [myaction]

[validation:savedsearch]
action.myaction = case('action.myaction' != "1", null(), 'action.myaction.param.title' == "action.myaction.param.title" OR 'action.myaction.param.title' == "", "Title cannot be empty",  1==1, null())

gavins_k1
Path Finder

That is working! Thanks very much.

Am I understanding this correctly, to check for a null/empty field you need to check when the alert is saved i.e. 'action.myaction' not on the field itself 'action.myaction.param.title'?

0 Karma

santosh_sshanbh
Path Finder

How should I validate multiple parameter values using above logic? I wrote something like below in restmap.conf but its not working and giving error even if the data is entered.

[validation:savedsearch]

Require parameters to be set if webhook action is enabled

action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.url' == "action.snow_webhook.param.url" OR 'action.snow_webhook.param.url' == "", "No Webhook URL specified", 1==1, null())
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.assignment_group' == "action.snow_webhook.param.assignment_group" OR 'action.snow_webhook.param.assignment_group' == "", "Assignment Group cannot be empty", 1==1, null())
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.service_offering' == "action.snow_webhook.param.service_offering" OR 'action.snow_webhook.param.service_offering' == "", "Service Offering cannot be empty", 1==1, null())
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.description' == "action.snow_webhook.param.description" OR 'action.snow_webhook.param.description' == "", "Description cannot be empty", 1==1, null())
action.snow_webhook.param.url = validate(match('action.snow_webhook.param.url', "^https?://[^\s]+$"), "Webhook URL is invalid")

0 Karma

harsmarvania57
Ultra Champion

@santosh_sshanbhag please post new question

0 Karma

santosh_sshanbh
Path Finder

Ok, posted a new thread as

'How to add validation for multiple parameters in custom alert action'

Please help if you are aware of the solution.

0 Karma

harsmarvania57
Ultra Champion

Yes you are correct

0 Karma

hardikJsheth
Motivator

Your configurations for validation of parameter on alert ui is correct. You are looking for empty value right!

Did you try with isnull method?

0 Karma

gavins_k1
Path Finder

i tried using isnull as well...
the only validations i could get doing anything at all:

action.myaction.param.title = validate( 1!=1 , 'just give me an error')

which always gave an error

action.myaction.param.title = validate( 'action.myaction.param.title' == "1" , "title is not 1")

which would give an error when i made the title box 1

it felt like if i used a eval function, the validation doesnt work. with this, i also thought the paramater name might be reserved, so i tried everything again using "..mytitle" instead of "..title" with no luck.

0 Karma

harsmarvania57
Ultra Champion

After changing restmap.conf, have you restarted splunk ?

0 Karma

gavins_k1
Path Finder

yes, each time restmap.conf is changed, I am restarting splunk

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...