Alerting

Custom alert action ui input

jbullough
Path Finder

I'm working with custom alert actions. I've taken most of my example from this example. It basically takes the xml written to stdin and writes it to a log. This works fine. I've added a UI element, with a couple fields that a user can write to. I'd like the input from this also written to this xml, so that I can pass it to my script. I can't figure out how to do this. The ui input does show up in savedsearches.conf. How can I get the value entered into the ui elements to be passed to my script?

Thanks!

1 Solution

jbullough
Path Finder

Ok I figured out what I'm missing. As far as I could find, this isn't documented explicitly, though maybe I'm wrong I just couldn't find it.

I was missing the way this all links together. In alert_actions.conf the [stanza_name] must be the same as the script it executes, which must be the same in savedsearches.conf action.stanza_name.param.foo. So in the UI html, you just use the action.stanza_name.param.foo when declaring the input.

I hope this explanation helps someone else in this position!

View solution in original post

jbullough
Path Finder

Ok I figured out what I'm missing. As far as I could find, this isn't documented explicitly, though maybe I'm wrong I just couldn't find it.

I was missing the way this all links together. In alert_actions.conf the [stanza_name] must be the same as the script it executes, which must be the same in savedsearches.conf action.stanza_name.param.foo. So in the UI html, you just use the action.stanza_name.param.foo when declaring the input.

I hope this explanation helps someone else in this position!

hexxamillion
Explorer

This was helpful. You are right about the documentation. It could be better. It's a little all over the place. I just needed a simple full example and I was confused about how it was being invoked. You answered my question. Thanks!

0 Karma

diwaly2019
New Member

Hi @jbullough , I got the same problem where the variables declared in html cannot be passed to savedsearches.conf. I did double check and can confirm the names are identical as mentioned in your answer. Anything else may cause the issue?

html file as below:

    ```

<div class="control-group">
    <label class="control-label" for="username">Username</label>

    <div class="controls">
        <input type="text" name="action.fortigate_alert.param.username" id="username" />
        <span class="help-block">
          The name of user for Fortigate SSH login
        </span>
    </div>
</div>
<div class="control-group">
    <label class="control-label" for="realm">Realm</label>

    <div class="controls">
        <input type="text" name="action.fortigate_alert.param.realm" id="realm" />
        <span class="help-block">
          What is this user credential used for?
        </span>
    </div>
</div>

```

savedsearches.conf.spec as below:

action.fortigate_alert.param.username = <string>
action.fortigate_alert.param.realm = <string>

0 Karma

thinhdinh
Path Finder

@diwaly2019  you are missing underscore marks.

action.fortigate_alert.param.username = <string>
action.fortigate_alert.param.realm = <string>

Btw do you guys know how we are able to run javascript in this HTML file? 

0 Karma

nit123
Path Finder

This can be done with ARF in Splunk where you can have an input field to accept text input or a value and that value is passed to script to trigger soem action and remediate your use case.

This link shall answer your query to resolution. Follow the same.

0 Karma

jbullough
Path Finder

I appreciate the answer, no idea what ARF is. I got it working, thanks!

0 Karma

nit123
Path Finder

Cool. 🙂

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...