Hi Splunkers,
I am attempting to package my app for Splunk app certification. In app inspect it keeps failing on alert_actions.conf.
All I am trying to do is package up an action to send an email if a saved search has a number of results greater than one.
These are the app inspect errors I get.
Alert actions structure and standards
Check that each custom alert action has a valid executable.
FAILURE: No executable was found for alert action email
FAILURE: No executable was found for alert action custom_action
Check that icon files defined for alert actions in alert_actions.conf
exist. Custom Alert Action Component Reference
FAILURE: No icon_path was specified for [email].
FAILURE: No icon_path was specified for [custom_action].
Check that custom alert actions are user configurable with setup.xml
file.
MANUAL_CHECK: An setup.xml exists at default/setup.xml.
Check that each custom alert action has an associated html file.
FAILURE: No HTML file was found at default/data/ui/alerts/ for
/tmp/tmp5jtSeN/optiv_threat_intel/default/data/ui/alerts/email.html
FAILURE: No HTML file was found at default/data/ui/alerts/ for
/tmp/tmp5jtSeN/optiv_threat_intel/default/data/ui/alerts/custom_action.html
I can't find any useful documentation that walks through this using alert actions. Do I need to have an executable script now? Again, all I want to do is send an email using internal spunk email functionality.
Hello,
Do you have any alert_actions.conf file in your app? I think Splunk is assuming one be placed in the "default" directory of your app and another in the "local" directory of your app.
You also will need a savedsearch.conf file in the local directory of your app that describes the saved search and the action, e.g. email.
Test the saved search/alert BEFORE you package the app, it should work.
Can you please post your savedsearch.conf stanza and alerts_actions.conf file to this posting?
For more information about alert_actions.conf and alerts in general, please review these links, http://docs.splunk.com/Documentation/Splunk/latest/Alert/Setupalertactions
http://docs.splunk.com/Documentation/Splunk/6.5.3/Alert/Aboutalerts
Feel free to post more.
Hello,
Do you have any alert_actions.conf file in your app? I think Splunk is assuming one be placed in the "default" directory of your app and another in the "local" directory of your app.
You also will need a savedsearch.conf file in the local directory of your app that describes the saved search and the action, e.g. email.
Test the saved search/alert BEFORE you package the app, it should work.
Can you please post your savedsearch.conf stanza and alerts_actions.conf file to this posting?
For more information about alert_actions.conf and alerts in general, please review these links, http://docs.splunk.com/Documentation/Splunk/latest/Alert/Setupalertactions
http://docs.splunk.com/Documentation/Splunk/6.5.3/Alert/Aboutalerts
Feel free to post more.
I did not find a resolution to this, so as a work around to push through the app certification process I commented out all the references to email alerts and actions.