I am very new to Splunk and just attended Splunk University and Splunk conf.2016 but left there with questions remaining that I am hoping I can get answered here.
My first question is with alerting.
We use Netcool OMNIbus as our event manager and would like to start sending alerts from Splunk to OMNIbus. While there are many options for alerting such as email and executing a script, I do not see an option for executing a binary and perhaps passing some parameters with it. One of the common ways we get events into OMNIbus is via posteifmsg which is a simple binary that you pass some parameters with.
For example, I could execute the following from another app, script, command line, ect.:
posteifmsg -f /lcl/apps/esm/posteifmsg_OMNIbus/config.ini -m "The server $host is down." GFS_Impact=5 GFS_Urgency=4 OnCallGroup=ProductionServices Generic Generic
I would like to be able to do the same thing from Splunk. It seems you would be able to call on a binary like posteifmsg and pass defined parameters from Splunk to this binary. Is this just not possible?
Thank you all for your time!!!
Building a custom alert action might be whats needed http://docs.splunk.com/Documentation/Splunk/6.5.0/AdvancedDev/ModAlertsIntro if you can do what you need to do from python then worth considering
A quick bit of googling around I found "nco_postmsg: A simple data insert tool for Netcool/OMNIbus ObjectServer" which looks like it can be called from python.
Building a custom alert action might be whats needed http://docs.splunk.com/Documentation/Splunk/6.5.0/AdvancedDev/ModAlertsIntro if you can do what you need to do from python then worth considering
A quick bit of googling around I found "nco_postmsg: A simple data insert tool for Netcool/OMNIbus ObjectServer" which looks like it can be called from python.
I have installed the Add-On Builder and started with that. Do you know where I could find sample code on doing such things as executing a binary like nco_postmsg and passing information to it? Thanks!
So I would try and break this down into 2 parts.
1) Initially focus on calling the binary from python directly (no Splunk). I found http://stackoverflow.com/questions/2473655/how-to-make-a-call-to-an-executable-from-python-script with a quick bit of googling.
2) Then follow http://docs.splunk.com/Documentation/Splunk/6.5.0/AdvancedDev/ModAlertsIntro to work out how to incorporate the python (from step 1) you have written into the Modular Alerts framework.
Ok, so there is no way to execute a binary directly them from the Add-On Builder in Splunk? Just want to make sure I am understanding correctly. I would need to create a Python script that is called by the Add-On Builder and then that script would execute the binary?
Thank you!!!!
Given your scenario I think wrapping in python is the way to go.
Well, I made progress in the Splunk Add-On Builder. I am now able to execute my binary and pass the parameters that I have setup. The only thing I can't seem to figure out now is how to pass the event that set off the alert in the first place. See towards the bottom where it says "SPLUNK EVENT VALUE SHOULD BE HERE". I want to capture there what triggered the alert but I am unsure of how to call that information there.
Thank you for the assistance!!!!!
# encoding = utf-8
import os
import sys
import time
import datetime
import subprocess
def process_event(helper, *args, **kwargs):
"""
# IMPORTANT
# Do not remove the anchor macro:start and macro:end lines.
# These lines are used to generate sample code. If they are
# removed, the sample code will not be updated when configurations
# are updated.
[sample_code_macro:start]
# The following example gets the alert action parameters and prints them to the log
gfs_impact = helper.get_param("gfs_impact")
helper.log_info("gfs_impact={}".format(gfs_impact))
gfs_urgency = helper.get_param("gfs_urgency")
helper.log_info("gfs_urgency={}".format(gfs_urgency))
easyvista_category_id = helper.get_param("easyvista_category_id")
helper.log_info("easyvista_category_id={}".format(easyvista_category_id))
# The following example adds two sample events ("hello", "world")
# and writes them to Splunk
# NOTE: Call helper.writeevents() only once after all events
# have been added
helper.addevent("hello", sourcetype="sample_sourcetype")
helper.addevent("world", sourcetype="sample_sourcetype")
helper.writeevents(index="summary", host="localhost", source="localhost")
# The following example gets the events that trigger the alert
events = helper.get_events()
for event in events:
helper.log_info("event={}".format(event))
# helper.settings is a dict that includes environment configuration
# Example usage: helper.settings["server_uri"]
helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
[sample_code_macro:end]
"""
helper.log_info("Alert action OMNIbus started.")
# TODO: Implement your alert action logic here
value1="-f /lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/config.ini"
value2="-m "+"'"+"SPLUNK EVENT VALUE SHOULD BE HERE"+"'"
value3="GFS_Impact="+helper.get_param("gfs_impact")
value4="GFS_Urgency="+helper.get_param("gfs_urgency")
value5="ISOC_Instructions="+"'"+helper.get_param("easyvista_category_id")+"'"
value6="Generic"
value7="Generic"
os.system("/lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/posteifmsg %s %s %s %s %s %s %s" % (value1,value2,value3,value4,value5,value6,value7))
return 0
The following bit of the code (from your code) looks like it gets the event data that you might be interested in.
# The following example gets the events that trigger the alert
events = helper.get_events()
for event in events:
helper.log_info("event={}".format(event))
Hope this ends up on splunkbase.splunk.com 🐵
Thank you. Yes, I had seen that in the commented area. For some reason though I can not seem to figure out how to pull that value in to here:
value2="-m "+"'"+"SPLUNK EVENT VALUE SHOULD BE HERE"+"'"
I thought it would be something like....
value2="-m "+"'"+$event+"'"
But that gives me an error. Any ideas? Thanks!
So it looks like a python thing....
I suspect your are trying to print an "array of objects" rather than a string itself. Try converting array into a string. Not sure on exact syntax of the top of my head.
Thanks for all the help!
so what is the result? I like Splunk very much, it can suprise me everyday how easily I can analyse the data. One thing I do not understand is the alert custom script setup. For e-mails, result tokens can be used, exactly the same is needed for custom script. I belive almost everybody would be happy to have an option to use custom script with data from the first row like myscript.bat $result.field1 $result.field1 . What is the easiest way to achieve that?