Alerting

How do I get some missing parameters from JSON payload to a script for a custom alert app?

isfleming
Explorer

Firstly I am very new to Splunk app development. I'm trying to create a custom alert application and I'm having problems with getting some of the info on the detected condition from the json payload available to the script.

If I was using a regular script action, I would have access to the following arguments passed to the script:

0 = Script name
1 = Number of events returned
2 = Search terms
3 = Fully qualified query string
4 = Name of report
5 = Trigger reason (i.e. "The number of events was greater than 1")
6 = Browser URL to view the report
7 = This option has been deprecated and is no longer used
8 = File where the results for this search are stored (contains raw results)

When using a custom alert app, these don't seem to apply and you get the data via reading stdin. I am using the json format and some of the above are in fact included in the json payload, however, I don't see any key that relates to trigger reason or number of events returned.

How do I get access to those two specific pieces of information from the script being invoked from the custom alert app?

Thanks.

0 Karma
1 Solution

isfleming
Explorer

Many thanks to Siegfried Puchbauer @ziegfried for the following...

For simple trigger conditions:
• $counttype$ type selected in the dropdown - eg. “number of events”
• $relation$ comparator selected in the dropdown - eg. “greater than”
• $quantity$ the numeric threshold - eg. “1000”

If a custom trigger condition was specified you can use $alert_condition$, which will contain the SPL-based trigger condition.

It would be reasonable to create a custom param in alert_actions.conf to pass this information to your alert script

View solution in original post

isfleming
Explorer

Many thanks to Siegfried Puchbauer @ziegfried for the following...

For simple trigger conditions:
• $counttype$ type selected in the dropdown - eg. “number of events”
• $relation$ comparator selected in the dropdown - eg. “greater than”
• $quantity$ the numeric threshold - eg. “1000”

If a custom trigger condition was specified you can use $alert_condition$, which will contain the SPL-based trigger condition.

It would be reasonable to create a custom param in alert_actions.conf to pass this information to your alert script

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!