Alerting
Highlighted

How do I get some missing parameters from JSON payload to a script for a custom alert app?

Explorer

Firstly I am very new to Splunk app development. I'm trying to create a custom alert application and I'm having problems with getting some of the info on the detected condition from the json payload available to the script.

If I was using a regular script action, I would have access to the following arguments passed to the script:

0 = Script name
1 = Number of events returned
2 = Search terms
3 = Fully qualified query string
4 = Name of report
5 = Trigger reason (i.e. "The number of events was greater than 1")
6 = Browser URL to view the report
7 = This option has been deprecated and is no longer used
8 = File where the results for this search are stored (contains raw results)

When using a custom alert app, these don't seem to apply and you get the data via reading stdin. I am using the json format and some of the above are in fact included in the json payload, however, I don't see any key that relates to trigger reason or number of events returned.

How do I get access to those two specific pieces of information from the script being invoked from the custom alert app?

Thanks.

0 Karma
Highlighted

Re: How do I get some missing parameters from JSON payload to a script for a custom alert app?

Explorer

Many thanks to Siegfried Puchbauer @ziegfried for the following...

For simple trigger conditions:
• $counttype$ type selected in the dropdown - eg. “number of events”
• $relation$ comparator selected in the dropdown - eg. “greater than”
• $quantity$ the numeric threshold - eg. “1000”

If a custom trigger condition was specified you can use $alert_condition$, which will contain the SPL-based trigger condition.

It would be reasonable to create a custom param in alert_actions.conf to pass this information to your alert script

View solution in original post

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.