- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How to do alerts integration with netcool?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to do alerts integration with netcool?
We are trying to invoke alerts from Splunk to NetCool, and wondering what the right approach would be. We came up with 3 proposals -
Solution 1 : Create a script, and invoke in alert actions, and pass the parameters.
Solution 2 : Create a custom command, and append it to the SPL, and pass the arguments.
Solution 3: Create a custom alert action, with html form fields. (Just like Send Email/Snow) - Preferred
We also came across Splunk dev documentation at Create custom alert actions for Splunk Cloud Platform or Splunk Enterprise
Any feedback would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @Tom_Lundie for the detailed explanation. I came across the following https://splunkbase.splunk.com/app/3596 do you think it's in the right direction?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome!
From what you've shared so far, I'm not exactly sure what your use case is. That being said, the app looks fine to me. If that does what you need it to, then why not give it a try?
At very least, you could use that as a starting template if your use-case is slightly different.
Also, please note, that app is not supported, so if it breaks you won't be able to raise a support case to fix it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're definitely thinking along the right track and based off the information you've provided so far, this is definitely achievable and I would go with Option 3 too.
The documentation that you sent over has an example alert_action: splunk-app-examples/slack.py.
If you haven't done this before, I would probably start with that or a different alert_action that does something similar to what you're trying to achieve, e.g. raising an incident via Splunk TA for ServiceNow. Trace your example of choice through keeping the step-by-step documentation in-mind located on Splunk Dev.
Once you've got your head around how the app, alert_actions.conf, and python script work-together you'll be ready to start writing your own. Feel free to reply to this thread or start a new one if you run into any bumps along the way.
Also, I haven't used NetCool but I've noticed that there are a few different products out there that go by that name. It might be worth sharing some more details about exactly what you're trying to achieve in case anyone else has done this before.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
