Solved: Re: Execute binary with parameters from Splunk Add...

larryleeroberts · ‎01-18-2017

I have installed Splunk Add-On Builder and I am now attempting to figure out how to create a new alert option. I want to provide an option to forward an alert to IBM Tivoli OMNIbus. I created 3 required drop-downs and I am now at the "Code & Test" area. I have been trying to find example code of how to take the information from the alert and to execute a command line binary to create the Tivoli OMNIBus event. We use something called posteifmsg which is nothing more than a simple binary which requires a few parameters to be passed with it. For example.....

./posteifmsg -m "This is a test" Impact="1" Urgency = "2" OnCallGroup ="MyTeam"

How can I execute such a command line from the code within Add-On builder? Examples?
Also, with Add-On Builder does it matter where the posteifmsg binary is located as long as its on the Splunk server?

Below is the generated logic that was produced from the Add-On Builder which shows the 3 new parameters I had created.

# encoding = utf-8

def process_event(helper, *args, **kwargs):
    """
    # IMPORTANT
    # Do not remove the anchor macro:start and macro:end lines.
    # These lines are used to generate sample code. If they are
    # removed, the sample code will not be updated when configurations
    # are updated.

    [sample_code_macro:start]

    # The following example gets the alert action parameters and prints them to the log
    gfs_impact = helper.get_param("gfs_impact")
    helper.log_info("gfs_impact={}".format(gfs_impact))

    gfs_urgency = helper.get_param("gfs_urgency")
    helper.log_info("gfs_urgency={}".format(gfs_urgency))

    easyvista_category_id = helper.get_param("easyvista_category_id")
    helper.log_info("easyvista_category_id={}".format(easyvista_category_id))


    # The following example adds two sample events ("hello", "world")
    # and writes them to Splunk
    # NOTE: Call helper.writeevents() only once after all events
    # have been added
    helper.addevent("hello", sourcetype="sample_sourcetype")
    helper.addevent("world", sourcetype="sample_sourcetype")
    helper.writeevents(index="summary", host="localhost", source="localhost")

    # The following example gets the events that trigger the alert
    events = helper.get_events()
    for event in events:
        helper.log_info("event={}".format(event))

    # helper.settings is a dict that includes environment configuration
    # Example usage: helper.settings["server_uri"]
    helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
    [sample_code_macro:end]
    """

    helper.log_info("Alert action OMNIbus started.")

    # TODO: Implement your alert action logic here
    return 0

Thank you for any assistance! Trying to find sample code on this but so far no luck.

larryleeroberts · ‎02-01-2017

Figured it out. Hopefully, this will help others...
# encoding = utf-8

import os
import sys
import time
import datetime
import subprocess

def process_event(helper, *args, **kwargs):
    """
    # IMPORTANT
    # Do not remove the anchor macro:start and macro:end lines.
    # These lines are used to generate sample code. If they are
    # removed, the sample code will not be updated when configurations
    # are updated.

    [sample_code_macro:start]

    # The following example gets the alert action parameters and prints them to the log
    gfs_impact = helper.get_param("gfs_impact")
    helper.log_info("gfs_impact={}".format(gfs_impact))

    gfs_urgency = helper.get_param("gfs_urgency")
    helper.log_info("gfs_urgency={}".format(gfs_urgency))

    easyvista_category_id = helper.get_param("easyvista_category_id")
    helper.log_info("easyvista_category_id={}".format(easyvista_category_id))


    # The following example adds two sample events ("hello", "world")
    # and writes them to Splunk
    # NOTE: Call helper.writeevents() only once after all events
    # have been added
    helper.addevent("hello", sourcetype="sample_sourcetype")
    helper.addevent("world", sourcetype="sample_sourcetype")
    helper.writeevents(index="summary", host="localhost", source="localhost")

    # The following example gets the events that trigger the alert
    events = helper.get_events()
    for event in events:
        helper.log_info("event={}".format(event))

    # helper.settings is a dict that includes environment configuration
    # Example usage: helper.settings["server_uri"]
    helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
    [sample_code_macro:end]
    """

    helper.log_info("Alert action OMNIbus started.")

    # TODO: Implement your alert action logic here
    value1="-f /lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/config.ini"
    value2="-m "+"'"+"SPLUNK EVENT VALUE SHOULD BE HERE"+"'"
    value3="GFS_Impact="+helper.get_param("gfs_impact")
    value4="GFS_Urgency="+helper.get_param("gfs_urgency")
    value5="ISOC_Instructions="+"'"+helper.get_param("easyvista_category_id")+"'"
    value6="Generic"
    value7="Generic"
    os.system("/lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/posteifmsg %s %s %s %s %s %s %s" % (value1,value2,value3,value4,value5,value6,value7))
    return 0

View solution in original post

larryleeroberts · ‎02-01-2017

Figured it out. Hopefully, this will help others...
# encoding = utf-8

import os
import sys
import time
import datetime
import subprocess

def process_event(helper, *args, **kwargs):
    """
    # IMPORTANT
    # Do not remove the anchor macro:start and macro:end lines.
    # These lines are used to generate sample code. If they are
    # removed, the sample code will not be updated when configurations
    # are updated.

    [sample_code_macro:start]

    # The following example gets the alert action parameters and prints them to the log
    gfs_impact = helper.get_param("gfs_impact")
    helper.log_info("gfs_impact={}".format(gfs_impact))

    gfs_urgency = helper.get_param("gfs_urgency")
    helper.log_info("gfs_urgency={}".format(gfs_urgency))

    easyvista_category_id = helper.get_param("easyvista_category_id")
    helper.log_info("easyvista_category_id={}".format(easyvista_category_id))


    # The following example adds two sample events ("hello", "world")
    # and writes them to Splunk
    # NOTE: Call helper.writeevents() only once after all events
    # have been added
    helper.addevent("hello", sourcetype="sample_sourcetype")
    helper.addevent("world", sourcetype="sample_sourcetype")
    helper.writeevents(index="summary", host="localhost", source="localhost")

    # The following example gets the events that trigger the alert
    events = helper.get_events()
    for event in events:
        helper.log_info("event={}".format(event))

    # helper.settings is a dict that includes environment configuration
    # Example usage: helper.settings["server_uri"]
    helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
    [sample_code_macro:end]
    """

    helper.log_info("Alert action OMNIbus started.")

    # TODO: Implement your alert action logic here
    value1="-f /lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/config.ini"
    value2="-m "+"'"+"SPLUNK EVENT VALUE SHOULD BE HERE"+"'"
    value3="GFS_Impact="+helper.get_param("gfs_impact")
    value4="GFS_Urgency="+helper.get_param("gfs_urgency")
    value5="ISOC_Instructions="+"'"+helper.get_param("easyvista_category_id")+"'"
    value6="Generic"
    value7="Generic"
    os.system("/lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/posteifmsg %s %s %s %s %s %s %s" % (value1,value2,value3,value4,value5,value6,value7))
    return 0

shartwell · ‎05-22-2018

Thanks Larry - this was a huge help - quick question. I'm getting an error trying to call my binary - did you need to specify the posteifmsg binary command in alert_actions.conf?

Execute binary with parameters from Splunk Add-On Builder

Platform Newsletter Highlights | March 2023

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor