All Apps and Add-ons

How to monitor the HTTP Alert Action?

mihenn
Path Finder

Hi,

I am trying to send data from Splunk to a Lotus Notes bases Incident Management. This system can recieve events as SOAP messages. So I built the required XML structure within the search as an eval command and trigger the HTTP Alert Action. There I put in all necessary headers and the XML as data.

Now I have this problem, that no messages reach their destination. How can I troubleshoot this? I transmitted the XML manually with curl. That works. So the XML format is correct and the server is reachable over the network.

Sometimes I get an error code 4 in Splunk Internal index. What is error 4?

Thank you.

0 Karma

brendanmacooper
Explorer

@mihenn Can you confirm whether adding the ingestion_safety fixed the issue?

0 Karma

mihenn
Path Finder

Sure,

here is my current configuration I removed the URL, accescode and search.


action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.param.verbose = 0
action.send_custom_rest_request = 1
action.send_custom_rest_request.param.custom_headers = Authorization='XXX'&SOAPAction=CREATEINCIDENT
action.send_custom_rest_request.param.endpoint = http://XXX?OpenWebService
action.send_custom_rest_request.param.payload = data={body}
action.send_custom_rest_request.param.qs_params =
action.threat_add.param.verbose = 0
alert.digest_mode = 0
alert.suppress = 0
alert.track = 1
cron_schedule = * * * * *
description = Test der Verbindung
dispatch.earliest_time = rt
dispatch.latest_time = rt
display.events.fields = ["host","source","sourcetype","name","F001","id"]
display.events.maxLines = 0
display.page.search.mode = fast
display.visualizations.charting.chart = pie
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = XXX

0 Karma

brendanmacooper
Explorer

Can you try setting the ingestion_safety variable. There's a known issue with version 1.1 which has been fixed in the yet to be released version 1.2

action.send_custom_rest_request.param.ingestion_safety_max_size = 0
0 Karma

mihenn
Path Finder

I wrote my own TA with the Addon-Bulider and I got the same error when trying to send the request. After that I did some research I found out, that it is a problem related to string formatting in Python. You have to use the same method all over the script. I mixed up two different types.

But I will test your TA with this settings and report the result here.

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...