Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: How do I get some missing parameters from JSON...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firstly I am very new to Splunk app development. I'm trying to create a custom alert application and I'm having problems with getting some of the info on the detected condition from the json payload available to the script.
If I was using a regular script action, I would have access to the following arguments passed to the script:
0 = Script name
1 = Number of events returned
2 = Search terms
3 = Fully qualified query string
4 = Name of report
5 = Trigger reason (i.e. "The number of events was greater than 1")
6 = Browser URL to view the report
7 = This option has been deprecated and is no longer used
8 = File where the results for this search are stored (contains raw results)
When using a custom alert app, these don't seem to apply and you get the data via reading stdin. I am using the json format and some of the above are in fact included in the json payload, however, I don't see any key that relates to trigger reason or number of events returned.
How do I get access to those two specific pieces of information from the script being invoked from the custom alert app?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks to Siegfried Puchbauer @ziegfried for the following...
For simple trigger conditions:
• $counttype$ type selected in the dropdown - eg. “number of events”
• $relation$ comparator selected in the dropdown - eg. “greater than”
• $quantity$ the numeric threshold - eg. “1000”
If a custom trigger condition was specified you can use $alert_condition$, which will contain the SPL-based trigger condition.
It would be reasonable to create a custom param in alert_actions.conf to pass this information to your alert script
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks to Siegfried Puchbauer @ziegfried for the following...
For simple trigger conditions:
• $counttype$ type selected in the dropdown - eg. “number of events”
• $relation$ comparator selected in the dropdown - eg. “greater than”
• $quantity$ the numeric threshold - eg. “1000”
If a custom trigger condition was specified you can use $alert_condition$, which will contain the SPL-based trigger condition.
It would be reasonable to create a custom param in alert_actions.conf to pass this information to your alert script
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
