Alerting

How do I get some missing parameters from JSON payload to a script for a custom alert app?

isfleming
Explorer

Firstly I am very new to Splunk app development. I'm trying to create a custom alert application and I'm having problems with getting some of the info on the detected condition from the json payload available to the script.

If I was using a regular script action, I would have access to the following arguments passed to the script:

0 = Script name
1 = Number of events returned
2 = Search terms
3 = Fully qualified query string
4 = Name of report
5 = Trigger reason (i.e. "The number of events was greater than 1")
6 = Browser URL to view the report
7 = This option has been deprecated and is no longer used
8 = File where the results for this search are stored (contains raw results)

When using a custom alert app, these don't seem to apply and you get the data via reading stdin. I am using the json format and some of the above are in fact included in the json payload, however, I don't see any key that relates to trigger reason or number of events returned.

How do I get access to those two specific pieces of information from the script being invoked from the custom alert app?

Thanks.

0 Karma
1 Solution

isfleming
Explorer

Many thanks to Siegfried Puchbauer @ziegfried for the following...

For simple trigger conditions:
• $counttype$ type selected in the dropdown - eg. “number of events”
• $relation$ comparator selected in the dropdown - eg. “greater than”
• $quantity$ the numeric threshold - eg. “1000”

If a custom trigger condition was specified you can use $alert_condition$, which will contain the SPL-based trigger condition.

It would be reasonable to create a custom param in alert_actions.conf to pass this information to your alert script

View solution in original post

isfleming
Explorer

Many thanks to Siegfried Puchbauer @ziegfried for the following...

For simple trigger conditions:
• $counttype$ type selected in the dropdown - eg. “number of events”
• $relation$ comparator selected in the dropdown - eg. “greater than”
• $quantity$ the numeric threshold - eg. “1000”

If a custom trigger condition was specified you can use $alert_condition$, which will contain the SPL-based trigger condition.

It would be reasonable to create a custom param in alert_actions.conf to pass this information to your alert script

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...