Alerting

How do I get some missing parameters from JSON payload to a script for a custom alert app?

isfleming
Explorer

Firstly I am very new to Splunk app development. I'm trying to create a custom alert application and I'm having problems with getting some of the info on the detected condition from the json payload available to the script.

If I was using a regular script action, I would have access to the following arguments passed to the script:

0 = Script name
1 = Number of events returned
2 = Search terms
3 = Fully qualified query string
4 = Name of report
5 = Trigger reason (i.e. "The number of events was greater than 1")
6 = Browser URL to view the report
7 = This option has been deprecated and is no longer used
8 = File where the results for this search are stored (contains raw results)

When using a custom alert app, these don't seem to apply and you get the data via reading stdin. I am using the json format and some of the above are in fact included in the json payload, however, I don't see any key that relates to trigger reason or number of events returned.

How do I get access to those two specific pieces of information from the script being invoked from the custom alert app?

Thanks.

0 Karma
1 Solution

isfleming
Explorer

Many thanks to Siegfried Puchbauer @ziegfried for the following...

For simple trigger conditions:
• $counttype$ type selected in the dropdown - eg. “number of events”
• $relation$ comparator selected in the dropdown - eg. “greater than”
• $quantity$ the numeric threshold - eg. “1000”

If a custom trigger condition was specified you can use $alert_condition$, which will contain the SPL-based trigger condition.

It would be reasonable to create a custom param in alert_actions.conf to pass this information to your alert script

View solution in original post

isfleming
Explorer

Many thanks to Siegfried Puchbauer @ziegfried for the following...

For simple trigger conditions:
• $counttype$ type selected in the dropdown - eg. “number of events”
• $relation$ comparator selected in the dropdown - eg. “greater than”
• $quantity$ the numeric threshold - eg. “1000”

If a custom trigger condition was specified you can use $alert_condition$, which will contain the SPL-based trigger condition.

It would be reasonable to create a custom param in alert_actions.conf to pass this information to your alert script

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...