Alerting

Custom alert action ui input

Path Finder

I'm working with custom alert actions. I've taken most of my example from this example. It basically takes the xml written to stdin and writes it to a log. This works fine. I've added a UI element, with a couple fields that a user can write to. I'd like the input from this also written to this xml, so that I can pass it to my script. I can't figure out how to do this. The ui input does show up in savedsearches.conf. How can I get the value entered into the ui elements to be passed to my script?

Thanks!

1 Solution

Path Finder

Ok I figured out what I'm missing. As far as I could find, this isn't documented explicitly, though maybe I'm wrong I just couldn't find it.

I was missing the way this all links together. In alert_actions.conf the [stanza_name] must be the same as the script it executes, which must be the same in savedsearches.conf action.stanza_name.param.foo. So in the UI html, you just use the action.stanza_name.param.foo when declaring the input.

I hope this explanation helps someone else in this position!

View solution in original post

Path Finder

Ok I figured out what I'm missing. As far as I could find, this isn't documented explicitly, though maybe I'm wrong I just couldn't find it.

I was missing the way this all links together. In alert_actions.conf the [stanza_name] must be the same as the script it executes, which must be the same in savedsearches.conf action.stanza_name.param.foo. So in the UI html, you just use the action.stanza_name.param.foo when declaring the input.

I hope this explanation helps someone else in this position!

View solution in original post

Explorer

This was helpful. You are right about the documentation. It could be better. It's a little all over the place. I just needed a simple full example and I was confused about how it was being invoked. You answered my question. Thanks!

0 Karma

New Member

Hi @jbullough , I got the same problem where the variables declared in html cannot be passed to savedsearches.conf. I did double check and can confirm the names are identical as mentioned in your answer. Anything else may cause the issue?

html file as below:

    ```

<div class="control-group">
    <label class="control-label" for="username">Username</label>

    <div class="controls">
        <input type="text" name="action.fortigate_alert.param.username" id="username" />
        <span class="help-block">
          The name of user for Fortigate SSH login
        </span>
    </div>
</div>
<div class="control-group">
    <label class="control-label" for="realm">Realm</label>

    <div class="controls">
        <input type="text" name="action.fortigate_alert.param.realm" id="realm" />
        <span class="help-block">
          What is this user credential used for?
        </span>
    </div>
</div>

```

savedsearches.conf.spec as below:

action.fortigate_alert.param.username = <string>
action.fortigate_alert.param.realm = <string>

0 Karma

Path Finder

@diwaly2019  you are missing underscore marks.

action.fortigate_alert.param.username = <string>
action.fortigate_alert.param.realm = <string>

Btw do you guys know how we are able to run javascript in this HTML file? 

0 Karma

Path Finder

This can be done with ARF in Splunk where you can have an input field to accept text input or a value and that value is passed to script to trigger soem action and remediate your use case.

This link shall answer your query to resolution. Follow the same.

0 Karma

Path Finder

I appreciate the answer, no idea what ARF is. I got it working, thanks!

0 Karma

Path Finder

Cool. 🙂

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!