Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I get some additional alert details into my custom alert?

paimonsoror
Builder
‎01-31-2017 11:08 AM

Hi Folks;

I was wondering how to add some of the details that a user has put in for defining an Alert into the payload that gets sent to my custom alert. For example:

alt text

Here is a sample alert that I am using. I have a custom app on my search head, and within the local folder there is an alert_actions.conf defined like so:

[spectrum_alert]
disabled=0
payload_format=json
is_custom=1
icon_path=alerticon.png
label=Enterprise Alert
description=Dispatch Alerts to Command Center For Escalation

within my app, there is a bin directory with a python script called 'spectrum_alert.py'. It looks like when the alert is triggered, two things are passed in, one being the '--execute' command, and second is the json payload that is passed in. There are however a few things missing that I would like to have, like the 'description', and the 'event count' for example. How would one add that?

I know that with the out of the box command you can add things like $counttype$ $relation$ $quantity$, but is that still possible here with a custom alert? If so, could someone guide me? Thanks!

Preview file
1 KB
0 Karma
Reply

pgreer_splunk
Splunk Employee
Splunk Employee
‎02-02-2017 10:51 AM

I'm not fully understanding your question - however, what can be done is to simply pass such data within your search results (which is passed into the python script within the JSON payload). Thus anything that can be calculated and captured within a field in your search can be parsed out of the JSON payload and used within your python script.

For instance, for a customer e-mail notification alert as an example, you can have the search populate some fields named 'replyTo', 'recipient', 'subject', 'numberOfEvents' - then within the python script parse the JSON payload for the those specific fields and perform actions upon them.

0 Karma
Reply

paimonsoror
Builder
‎02-02-2017 05:33 PM

Thanks for the response.

What I am ideally trying to do is this:

  1. User creates an alert
  2. User decides "i want this alert to the enterprise command center"
  3. User uses my custom alert action called 'spectrum_alert'
  4. Our best practice is to have the user pick a meaninful title for the alert, and description

The JSON payload is great, and it includes the title but it doesn't include the alert description. Ideally I would like to also send in the alert type

Those two additional things from #4 are what I am looking to add to my payload

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...