Solved: How to pass alert results to custom alert action?

vinod94 · ‎07-26-2019

how do I pass my search output results to a custom alert action script(test.py) which has some static parameters ? for ex. I have a statistics table which has two columns Hosts and Count.. I want to pass the results of these two columns to a static parameter say Description.

Ive come across SPLUNK_ARG_8(sys.argv[8])... tried this but it am getting an error " Alert script returned error code 1., search='sendalert test_dropdown results_file="/opt/splunk/var/run/splunk/dispatch/scheduler_adminsearch_RMD51340b9f59d2d65d1_at_1564127640_31/results.csv.gz " .

How do I use it in my script? Or is der any other way. Any suggestions? Below is part of my script

def openany(p):
       if p.endswith(".gz"):
               return gzip.open(p)
       else:
               return open(p)

results_file = sys.argv[8]

for row in csv.DictReader(openany(results_file)):
        description = "Alert Triggered for " + row["component"] + " value is " + row["count"]


# TODO: Implement your alert action logic here
        url = "https://ensrqbrq8xubd.x.pipedream.net"

        payload = '''{\"Description\\\":\\\"''' + description + '''\\\"}'''.encode('utf8')

    headers = {
    'content-type': "application/json"
    }

        response = requests.request("POST", url, data = payload, headers=headers)

harsmarvania57 · ‎07-26-2019

Hi,

Have a look at documentation for Custom Alert Action https://docs.splunk.com/Documentation/Splunk/7.3.0/AdvancedDev/ModAlertsIntro for how to setup custom alert action.

Here is sample script https://docs.splunk.com/Documentation/Splunk/7.3.0/AdvancedDev/ModAlertsBasicExample splunk has provided. When you look at the output, you can see results_file in payload output. Read that file in your script and then you can use that output data in your script to do other magic as per your requirement.

View solution in original post

harsmarvania57 · ‎07-26-2019

Hi,

Have a look at documentation for Custom Alert Action https://docs.splunk.com/Documentation/Splunk/7.3.0/AdvancedDev/ModAlertsIntro for how to setup custom alert action.

Here is sample script https://docs.splunk.com/Documentation/Splunk/7.3.0/AdvancedDev/ModAlertsBasicExample splunk has provided. When you look at the output, you can see results_file in payload output. Read that file in your script and then you can use that output data in your script to do other magic as per your requirement.

vinod94 · ‎07-29-2019

Hi @harsmarvania57 ,

I've tried reading the file...but it throwing me an error..

search='sendalert test_dropdown results_file="/opt/splunk/var/run/splunk/dispatch/scheduler_adminsearch_RMD51340b9f59d2d65d1_at_1564127640_31/results.csv.gz "

harsmarvania57 · ‎07-29-2019

You need to read that file in your python script, not using Splunk Query.

vinod94 · ‎07-29-2019

I am reading with the script only

here's the sample ..

 def openany(p):
        if p.endswith(".gz"):
                return gzip.open(p)
        else:
                return open(p)
 results_file = sys.argv[8]

 for row in csv.DictReader(openany(results_file)):
         description = "Alert Triggered for " + row["component"] + " value is " + row["count"]

not sure if iam doing it in the right way!

harsmarvania57 · ‎07-29-2019

Here is the portion of the script which I have in custom alert action and in alert_actions.conf, I have configured to retrieve payload in json format ( payload_format = json )

if len(sys.argv) > 1 and sys.argv[1] == "--execute":
    payload = json.loads(sys.stdin.read())
    result_file = payload['results_file']
    with gzip.open(result_file, 'rb') as f:
        reader = csv.reader(f)
        header_line = next(reader)
        data = list(reader)

kmarx · ‎07-27-2022

Just a note: I had to use gzip.open() with mode='rt' for text instead of binary

How to pass alert results to custom alert action?

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?