Firstly I am very new to Splunk app development. I'm trying to create a custom alert application and I'm having problems with getting some of the info on the detected condition from the json payload available to the script.
If I was using a regular script action, I would have access to the following arguments passed to the script:
0 = Script name
1 = Number of events returned
2 = Search terms
3 = Fully qualified query string
4 = Name of report
5 = Trigger reason (i.e. "The number of events was greater than 1")
6 = Browser URL to view the report
7 = This option has been deprecated and is no longer used
8 = File where the results for this search are stored (contains raw results)
When using a custom alert app, these don't seem to apply and you get the data via reading stdin. I am using the json format and some of the above are in fact included in the json payload, however, I don't see any key that relates to trigger reason or number of events returned.
How do I get access to those two specific pieces of information from the script being invoked from the custom alert app?
Many thanks to Siegfried Puchbauer @ziegfried for the following...
For simple trigger conditions:
• $counttype$ type selected in the dropdown - eg. “number of events”
• $relation$ comparator selected in the dropdown - eg. “greater than”
• $quantity$ the numeric threshold - eg. “1000”
If a custom trigger condition was specified you can use $alert_condition$, which will contain the SPL-based trigger condition.
It would be reasonable to create a custom param in alert_actions.conf to pass this information to your alert script