Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Custom alert action ui input

jbullough
Path Finder
‎06-01-2017 08:30 PM

I'm working with custom alert actions. I've taken most of my example from this example. It basically takes the xml written to stdin and writes it to a log. This works fine. I've added a UI element, with a couple fields that a user can write to. I'd like the input from this also written to this xml, so that I can pass it to my script. I can't figure out how to do this. The ui input does show up in savedsearches.conf. How can I get the value entered into the ui elements to be passed to my script?

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

jbullough
Path Finder
‎06-02-2017 07:49 AM

Ok I figured out what I'm missing. As far as I could find, this isn't documented explicitly, though maybe I'm wrong I just couldn't find it.

I was missing the way this all links together. In alert_actions.conf the [stanza_name] must be the same as the script it executes, which must be the same in savedsearches.conf action.stanza_name.param.foo. So in the UI html, you just use the action.stanza_name.param.foo when declaring the input.

I hope this explanation helps someone else in this position!

View solution in original post

Reply
Solved! Jump to solution
Solution

jbullough
Path Finder
‎06-02-2017 07:49 AM

Ok I figured out what I'm missing. As far as I could find, this isn't documented explicitly, though maybe I'm wrong I just couldn't find it.

I was missing the way this all links together. In alert_actions.conf the [stanza_name] must be the same as the script it executes, which must be the same in savedsearches.conf action.stanza_name.param.foo. So in the UI html, you just use the action.stanza_name.param.foo when declaring the input.

I hope this explanation helps someone else in this position!

Reply
Solved! Jump to solution

hexxamillion
Explorer
‎02-21-2019 10:30 AM

This was helpful. You are right about the documentation. It could be better. It's a little all over the place. I just needed a simple full example and I was confused about how it was being invoked. You answered my question. Thanks!

0 Karma
Reply
Solved! Jump to solution

diwaly2019
New Member
‎02-19-2020 02:40 AM

Hi @jbullough , I got the same problem where the variables declared in html cannot be passed to savedsearches.conf. I did double check and can confirm the names are identical as mentioned in your answer. Anything else may cause the issue?

html file as below:

    ```

<div class="control-group">
    <label class="control-label" for="username">Username</label>

    <div class="controls">
        <input type="text" name="action.fortigate_alert.param.username" id="username" />
        <span class="help-block">
          The name of user for Fortigate SSH login
        </span>
    </div>
</div>
<div class="control-group">
    <label class="control-label" for="realm">Realm</label>

    <div class="controls">
        <input type="text" name="action.fortigate_alert.param.realm" id="realm" />
        <span class="help-block">
          What is this user credential used for?
        </span>
    </div>
</div>

```

savedsearches.conf.spec as below:

action.fortigate_alert.param.username = <string>
action.fortigate_alert.param.realm = <string>

0 Karma
Reply
Solved! Jump to solution

thinhdinh
Path Finder
‎08-15-2020 12:09 AM

@diwaly2019  you are missing underscore marks.

action.fortigate_alert.param.username = <string>
action.fortigate_alert.param.realm = <string>

Btw do you guys know how we are able to run javascript in this HTML file? 

0 Karma
Reply
Solved! Jump to solution

nit123
Path Finder
‎06-02-2017 04:04 AM

This can be done with ARF in Splunk where you can have an input field to accept text input or a value and that value is passed to script to trigger soem action and remediate your use case.

This link shall answer your query to resolution. Follow the same.

0 Karma
Reply
Solved! Jump to solution

jbullough
Path Finder
‎06-02-2017 07:50 AM

I appreciate the answer, no idea what ARF is. I got it working, thanks!

0 Karma
Reply
Solved! Jump to solution

nit123
Path Finder
‎06-02-2017 07:29 PM

Cool. 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...