Solved: Custom Alerts: how to use configured variables and...

AKG1_old1 · ‎03-20-2019

Hello,

I have created a custom alert which triggers a bash script. I am looking to pass some variables and search results to bash script.

When this alert is triggered bash script is getting executed but its static and want to pass these variable defined below and also results of search which trigger this alert.

alert_action.conf

[custom_alert]
is_custom = 1
label = Custom Alert
description = Send Custom Alert to JIRA via Mule
icon_path = logevent.png
payload_format = json

param.type = Incident
param.priority = 3-Medium
param.reporter = ti-user

alert_action.conf.spec

[custom_alert]
param.summary = <string>
param.description = <string>
param.type = <string>
param.priority = <string>
param.reporter = <string>

Configured variables:

harsmarvania57 · ‎03-20-2019

Hi @agoyal,

You need read payload value for this in your bash script and from that payload you need to extract results_file and read that zipped results.csv for search results.

To read payload in bash script use read payload in your bash script.

View solution in original post

harsmarvania57 · ‎03-20-2019

Hi @agoyal,

You need read payload value for this in your bash script and from that payload you need to extract results_file and read that zipped results.csv for search results.

To read payload in bash script use read payload in your bash script.

AKG1_old1 · ‎03-20-2019

@harsmarvania57 : thanks for reply. I am unsure about syntax to use these variable in bash script.

harsmarvania57 · ‎03-20-2019

If you didn't write bash script for custom alert action then below is starting point, in below script, it will read payload when scheduled search will execute and write JSON payload value in /var/tmp/alert_actions.log and then I am using sed to extract results_file path from JSON payload.

#!/bin/sh

if [[ "$1" == "--execute" ]]; then
    read payload
    echo $payload > /var/tmp/alert_actions.log

    # Read variable from JSON payload
    results_file=`echo $payload | sed -e 's/^.*"results_file"[ ]*:"//' -e 's/\({\|"\).*//'`
    echo $results_file >> /var/tmp/alert_actions.log

This is just starting of script, once you have results_file path then you need to read compressed results csv file, I prefer to read it with zcat command in script and then run for loop for each result and extract required value and perform required action in bash script.

harsmarvania57 · ‎03-20-2019

There are many other parameters and it's value you can extract from payload same as I extracted results_file in above bash script.

AKG1_old1 · ‎03-20-2019

@harsmarvania57 : Thank you !! It worked 🙂 Please convert it as Answer.

harsmarvania57 · ‎03-20-2019

Great :).

AKG1_old1 · ‎03-20-2019

Also I am just executing curl command in bash script. So may be I can directly use like below. but not sure how to define these variables.

action_alert.conf

alert.execute.cmd = curl
alert.execute.cmd.arg.1 = -d
alert.execute.cmd.arg.2 = '{"summary": " summary token"}'

Custom Alerts: how to use configured variables and serarch results in bash script?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)