- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to monitor the HTTP Alert Action?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to monitor the HTTP Alert Action?
Hi,
I am trying to send data from Splunk to a Lotus Notes bases Incident Management. This system can recieve events as SOAP messages. So I built the required XML structure within the search as an eval command and trigger the HTTP Alert Action. There I put in all necessary headers and the XML as data.
Now I have this problem, that no messages reach their destination. How can I troubleshoot this? I transmitted the XML manually with curl. That works. So the XML format is correct and the server is reachable over the network.
Sometimes I get an error code 4 in Splunk Internal index. What is error 4?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mihenn Can you confirm whether adding the ingestion_safety fixed the issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure,
here is my current configuration I removed the URL, accescode and search.
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.param.verbose = 0
action.send_custom_rest_request = 1
action.send_custom_rest_request.param.custom_headers = Authorization='XXX'&SOAPAction=CREATEINCIDENT
action.send_custom_rest_request.param.endpoint = http://XXX?OpenWebService
action.send_custom_rest_request.param.payload = data={body}
action.send_custom_rest_request.param.qs_params =
action.threat_add.param.verbose = 0
alert.digest_mode = 0
alert.suppress = 0
alert.track = 1
cron_schedule = * * * * *
description = Test der Verbindung
dispatch.earliest_time = rt
dispatch.latest_time = rt
display.events.fields = ["host","source","sourcetype","name","F001","id"]
display.events.maxLines = 0
display.page.search.mode = fast
display.visualizations.charting.chart = pie
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = XXX
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try setting the ingestion_safety variable. There's a known issue with version 1.1 which has been fixed in the yet to be released version 1.2
action.send_custom_rest_request.param.ingestion_safety_max_size = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wrote my own TA with the Addon-Bulider and I got the same error when trying to send the request. After that I did some research I found out, that it is a problem related to string formatting in Python. You have to use the same method all over the script. I mixed up two different types.
But I will test your TA with this settings and report the result here.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
