All Apps and Add-ons
Highlighted

How to monitor the HTTP Alert Action?

Path Finder

Hi,

I am trying to send data from Splunk to a Lotus Notes bases Incident Management. This system can recieve events as SOAP messages. So I built the required XML structure within the search as an eval command and trigger the HTTP Alert Action. There I put in all necessary headers and the XML as data.

Now I have this problem, that no messages reach their destination. How can I troubleshoot this? I transmitted the XML manually with curl. That works. So the XML format is correct and the server is reachable over the network.

Sometimes I get an error code 4 in Splunk Internal index. What is error 4?

Thank you.

0 Karma
Highlighted

Re: How to monitor the HTTP Alert Action?

Can you try setting the ingestion_safety variable. There's a known issue with version 1.1 which has been fixed in the yet to be released version 1.2

action.send_custom_rest_request.param.ingestion_safety_max_size = 0
0 Karma
Highlighted

Re: How to monitor the HTTP Alert Action?

Path Finder

I wrote my own TA with the Addon-Bulider and I got the same error when trying to send the request. After that I did some research I found out, that it is a problem related to string formatting in Python. You have to use the same method all over the script. I mixed up two different types.

But I will test your TA with this settings and report the result here.

0 Karma
Highlighted

Re: How to monitor the HTTP Alert Action?

Path Finder

Sure,

here is my current configuration I removed the URL, accescode and search.


action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.param.verbose = 0
action.sendcustomrestrequest = 1
action.send
customrestrequest.param.customheaders = Authorization='XXX'&SOAPAction=CREATEINCIDENT
action.send
customrestrequest.param.endpoint = http://XXX?OpenWebService
action.sendcustomrestrequest.param.payload = data={body}
action.send
customrestrequest.param.qsparams =
action.threat
add.param.verbose = 0
alert.digestmode = 0
alert.suppress = 0
alert.track = 1
cron
schedule = * * * * *
description = Test der Verbindung
dispatch.earliesttime = rt
dispatch.latest
time = rt
display.events.fields = ["host","source","sourcetype","name","F001","id"]
display.events.maxLines = 0
display.page.search.mode = fast
display.visualizations.charting.chart = pie
enableSched = 1
quantity = 0
relation = greater than
request.uidispatchapp = search
request.uidispatchview = search
search = XXX

0 Karma
Highlighted

Re: How to monitor the HTTP Alert Action?

@mihenn Can you confirm whether adding the ingestion_safety fixed the issue?

0 Karma