Solved: Custom alert action ui input

jbullough · ‎06-01-2017

I'm working with custom alert actions. I've taken most of my example from this example. It basically takes the xml written to stdin and writes it to a log. This works fine. I've added a UI element, with a couple fields that a user can write to. I'd like the input from this also written to this xml, so that I can pass it to my script. I can't figure out how to do this. The ui input does show up in savedsearches.conf. How can I get the value entered into the ui elements to be passed to my script?

Thanks!

jbullough · ‎06-02-2017

Ok I figured out what I'm missing. As far as I could find, this isn't documented explicitly, though maybe I'm wrong I just couldn't find it.

I was missing the way this all links together. In alert_actions.conf the [stanza_name] must be the same as the script it executes, which must be the same in savedsearches.conf action.stanza_name.param.foo. So in the UI html, you just use the action.stanza_name.param.foo when declaring the input.

I hope this explanation helps someone else in this position!

View solution in original post

jbullough · ‎06-02-2017

Ok I figured out what I'm missing. As far as I could find, this isn't documented explicitly, though maybe I'm wrong I just couldn't find it.

I was missing the way this all links together. In alert_actions.conf the [stanza_name] must be the same as the script it executes, which must be the same in savedsearches.conf action.stanza_name.param.foo. So in the UI html, you just use the action.stanza_name.param.foo when declaring the input.

I hope this explanation helps someone else in this position!

hexxamillion · ‎02-21-2019

This was helpful. You are right about the documentation. It could be better. It's a little all over the place. I just needed a simple full example and I was confused about how it was being invoked. You answered my question. Thanks!

diwaly2019 · ‎02-19-2020

Hi @jbullough , I got the same problem where the variables declared in html cannot be passed to savedsearches.conf. I did double check and can confirm the names are identical as mentioned in your answer. Anything else may cause the issue?

html file as below:

    ```

<div class="control-group">
    <label class="control-label" for="username">Username</label>

    <div class="controls">
        <input type="text" name="action.fortigate_alert.param.username" id="username" />
        <span class="help-block">
          The name of user for Fortigate SSH login
        </span>
    </div>
</div>
<div class="control-group">
    <label class="control-label" for="realm">Realm</label>

    <div class="controls">
        <input type="text" name="action.fortigate_alert.param.realm" id="realm" />
        <span class="help-block">
          What is this user credential used for?
        </span>
    </div>
</div>

```

savedsearches.conf.spec as below:

action.fortigate_alert.param.username = <string>
action.fortigate_alert.param.realm = <string>

thinhdinh · ‎08-15-2020

@diwaly2019 you are missing underscore marks.

action.fortigate_alert.param.username = <string>
action.fortigate_alert.param.realm = <string>

Btw do you guys know how we are able to run javascript in this HTML file?

nit123 · ‎06-02-2017

This can be done with ARF in Splunk where you can have an input field to accept text input or a value and that value is passed to script to trigger soem action and remediate your use case.

This link shall answer your query to resolution. Follow the same.

jbullough · ‎06-02-2017

I appreciate the answer, no idea what ARF is. I got it working, thanks!

nit123 · ‎06-02-2017

Cool. 🙂

Custom alert action ui input

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk