All Apps and Add-ons

How to monitor the HTTP Alert Action?

Path Finder


I am trying to send data from Splunk to a Lotus Notes bases Incident Management. This system can recieve events as SOAP messages. So I built the required XML structure within the search as an eval command and trigger the HTTP Alert Action. There I put in all necessary headers and the XML as data.

Now I have this problem, that no messages reach their destination. How can I troubleshoot this? I transmitted the XML manually with curl. That works. So the XML format is correct and the server is reachable over the network.

Sometimes I get an error code 4 in Splunk Internal index. What is error 4?

Thank you.

0 Karma


@mihenn Can you confirm whether adding the ingestion_safety fixed the issue?

0 Karma

Path Finder


here is my current configuration I removed the URL, accescode and search.

action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0 = 0
action.risk.param.verbose = 0
action.send_custom_rest_request = 1
action.send_custom_rest_request.param.custom_headers = Authorization='XXX'&SOAPAction=CREATEINCIDENT
action.send_custom_rest_request.param.endpoint = http://XXX?OpenWebService
action.send_custom_rest_request.param.payload = data={body}
action.send_custom_rest_request.param.qs_params =
action.threat_add.param.verbose = 0
alert.digest_mode = 0
alert.suppress = 0
alert.track = 1
cron_schedule = * * * * *
description = Test der Verbindung
dispatch.earliest_time = rt
dispatch.latest_time = rt = ["host","source","sourcetype","name","F001","id"] = 0 = fast
display.visualizations.charting.chart = pie
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = XXX

0 Karma


Can you try setting the ingestion_safety variable. There's a known issue with version 1.1 which has been fixed in the yet to be released version 1.2

action.send_custom_rest_request.param.ingestion_safety_max_size = 0
0 Karma

Path Finder

I wrote my own TA with the Addon-Bulider and I got the same error when trying to send the request. After that I did some research I found out, that it is a problem related to string formatting in Python. You have to use the same method all over the script. I mixed up two different types.

But I will test your TA with this settings and report the result here.

0 Karma
Get Updates on the Splunk Community!

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...