Alerting

How do I setup an alert action for sending an email (App certification)

derekarnold
Communicator

Hi Splunkers,
I am attempting to package my app for Splunk app certification. In app inspect it keeps failing on alert_actions.conf.
All I am trying to do is package up an action to send an email if a saved search has a number of results greater than one.

These are the app inspect errors I get.

Alert actions structure and standards
    Check that each custom alert action has a valid executable.
        FAILURE: No executable was found for alert action email
        FAILURE: No executable was found for alert action custom_action
    Check that icon files defined for alert actions in alert_actions.conf
    exist. Custom Alert Action Component Reference
        FAILURE: No icon_path was specified for [email].
        FAILURE: No icon_path was specified for [custom_action].
    Check that custom alert actions are user configurable with setup.xml
    file.
        MANUAL_CHECK: An setup.xml exists at default/setup.xml.
    Check that each custom alert action has an associated html file.
        FAILURE: No HTML file was found at default/data/ui/alerts/ for
            /tmp/tmp5jtSeN/optiv_threat_intel/default/data/ui/alerts/email.html
        FAILURE: No HTML file was found at default/data/ui/alerts/ for
            /tmp/tmp5jtSeN/optiv_threat_intel/default/data/ui/alerts/custom_action.html

I can't find any useful documentation that walks through this using alert actions. Do I need to have an executable script now? Again, all I want to do is send an email using internal spunk email functionality.

1 Solution

pretzel2
Path Finder

Hello,

Do you have any alert_actions.conf file in your app? I think Splunk is assuming one be placed in the "default" directory of your app and another in the "local" directory of your app.

You also will need a savedsearch.conf file in the local directory of your app that describes the saved search and the action, e.g. email.

Test the saved search/alert BEFORE you package the app, it should work.
Can you please post your savedsearch.conf stanza and alerts_actions.conf file to this posting?

For more information about alert_actions.conf and alerts in general, please review these links, http://docs.splunk.com/Documentation/Splunk/latest/Alert/Setupalertactions
http://docs.splunk.com/Documentation/Splunk/6.5.3/Alert/Aboutalerts

Feel free to post more.

View solution in original post

pretzel2
Path Finder

Hello,

Do you have any alert_actions.conf file in your app? I think Splunk is assuming one be placed in the "default" directory of your app and another in the "local" directory of your app.

You also will need a savedsearch.conf file in the local directory of your app that describes the saved search and the action, e.g. email.

Test the saved search/alert BEFORE you package the app, it should work.
Can you please post your savedsearch.conf stanza and alerts_actions.conf file to this posting?

For more information about alert_actions.conf and alerts in general, please review these links, http://docs.splunk.com/Documentation/Splunk/latest/Alert/Setupalertactions
http://docs.splunk.com/Documentation/Splunk/6.5.3/Alert/Aboutalerts

Feel free to post more.

derekarnold
Communicator

I did not find a resolution to this, so as a work around to push through the app certification process I commented out all the references to email alerts and actions.

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...