All Apps and Add-ons

Splunk Add-on Builder: How to edit my Python code to pull the value of event for an alert?

larryleeroberts
Path Finder

I am new to Python and to the Splunk Add-On Builder but I have been figuring it out so far but now I am at the point that I am stuck. I have been trying to build a new alert option for our Splunk instance. I am able to execute a binary and pass my parameters to it when called but I have been unable to figure out the correct code to use in order to grab the event that triggered the alert.

If you look at the Python code below, look specifically at this...

value2="-m "+"'"+"SPLUNK EVENT VALUE SHOULD BE HERE"+"'"

I am attempting to figure out how to pull the value of the event which set off the alert and assign it to value2. Below is my full code. Any aid would be highly appreciated. Thank you!

# encoding = utf-8

import os
import sys
import time
import datetime
import subprocess

def process_event(helper, *args, **kwargs):
    """
    # IMPORTANT
    # Do not remove the anchor macro:start and macro:end lines.
    # These lines are used to generate sample code. If they are
    # removed, the sample code will not be updated when configurations
    # are updated.

    [sample_code_macro:start]

    # The following example gets the alert action parameters and prints them to the log
    gfs_impact = helper.get_param("gfs_impact")
    helper.log_info("gfs_impact={}".format(gfs_impact))

    gfs_urgency = helper.get_param("gfs_urgency")
    helper.log_info("gfs_urgency={}".format(gfs_urgency))

    easyvista_category_id = helper.get_param("easyvista_category_id")
    helper.log_info("easyvista_category_id={}".format(easyvista_category_id))


    # The following example adds two sample events ("hello", "world")
    # and writes them to Splunk
    # NOTE: Call helper.writeevents() only once after all events
    # have been added
    helper.addevent("hello", sourcetype="sample_sourcetype")
    helper.addevent("world", sourcetype="sample_sourcetype")
    helper.writeevents(index="summary", host="localhost", source="localhost")

    # The following example gets the events that trigger the alert
    events = helper.get_events()
    for event in events:
        helper.log_info("event={}".format(event))

    # helper.settings is a dict that includes environment configuration
    # Example usage: helper.settings["server_uri"]
    helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
    [sample_code_macro:end]
    """

    helper.log_info("Alert action OMNIbus started.")

    # TODO: Implement your alert action logic here
    value1="-f /lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/config.ini"
    value2="-m "+"'"+"SPLUNK EVENT VALUE SHOULD BE HERE"+"'"
    value3="GFS_Impact="+helper.get_param("gfs_impact")
    value4="GFS_Urgency="+helper.get_param("gfs_urgency")
    value5="ISOC_Instructions="+"'"+helper.get_param("easyvista_category_id")+"'"
    value6="Generic"
    value7="Generic"
    os.system("/lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/posteifmsg %s %s %s %s %s %s %s" % (value1,value2,value3,value4,value5,value6,value7))
    return 0
0 Karma
1 Solution

ehaddad_splunk
Splunk Employee
Splunk Employee

Hi,

When developing this in Add-on builder just test that the parameters work with values that you pass/hardcode. Tokenization is automatically handled by alert action framework.
To test this out, after you are done building alert action (make sure you restart Splunk), you can use $result.fieldname$ to dynamically pass a value from a given alert results field. Check out "Pass search result values to alert action tokens" section of this doc link for more details
http://docs.splunk.com/Documentation/Splunk/6.5.1/AdvancedDev/ModAlertsLog

You can test this out using send alert command as such:
index=_internal | head 1| eval fieldname="xyz" | sendalert myalertname param.abc="$result.fieldname$"

View solution in original post

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

Hi,

When developing this in Add-on builder just test that the parameters work with values that you pass/hardcode. Tokenization is automatically handled by alert action framework.
To test this out, after you are done building alert action (make sure you restart Splunk), you can use $result.fieldname$ to dynamically pass a value from a given alert results field. Check out "Pass search result values to alert action tokens" section of this doc link for more details
http://docs.splunk.com/Documentation/Splunk/6.5.1/AdvancedDev/ModAlertsLog

You can test this out using send alert command as such:
index=_internal | head 1| eval fieldname="xyz" | sendalert myalertname param.abc="$result.fieldname$"

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

yes - helper.get_param("abc") would allow you to use static or dynamic values passed from search results triggering the alert.

0 Karma

jodros
Builder

I have built an alert action for an API call to a security device. I can invoke it manually by running a search: "host=something find_something_bad | stats count by item1 item2 item3 | sendalert cool_api_action param.item1="$result.item1$"." However when I have the alert scheduled and configured as such: "host=something find_something_bad | stats count by item1 item2 item3" it sends an email but the API call isn't working. I have the search scheduled and have the action alert and email configured as actions. Any assistance would be appreciated.

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

I would check that the alert is getting fired first by looking at the alerts history. if it is, i would check it it works without tokenization

0 Karma

jodros
Builder

The alert is being fired. There is an email action along with the custom alert action. I get an email but it does not appear that the API call is successful. How would I test this without tokenization?

0 Karma

jodros
Builder

I have it scheduled and it is working, however I have to leave "| sendalert param.item1="$result.item1$" " at the end of the search or it doesn't work. Is this expected behavior?

0 Karma

larryleeroberts
Path Finder

I would say yes. That is the same thing I found. The only way I could make it so that a value from a search is passed is to have it declared within the search itself like you are doing above. If there is another way, I never found it.

0 Karma

jodros
Builder

I figured out my issue. I did not have alert action inputs defined. And after I defined them, I needed to add the the token $result.fieldname$, where fieldname was the actual field from the search results, as the default value for the alert action input. Another way to accomplish this would be to manually edit the alert_actions.conf file and add the line param.item = $result.fieldname$. I found what I needed in this doc: https://docs.splunk.com/Documentation/Splunk/6.5.2/AdvancedDev/CustomAlertConfig. Thanks

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

Hi jodros,

thats the proper way to use it in alert action. we need to update the doc in AoB as well to highlight the same.

0 Karma

larryleeroberts
Path Finder

Ah! I see. So as long as I account for helper.get_param("abc") it should pull it in then? As long as it was supplied in the search that set off the alert that is. Does that sound correct?

Just trying to make sure I account for how the syntax should be in the script.
So like this....

 value2="-m "+"'"helper.get_param("abc")"'"

Correct? And BIG THANK YOU for the assistance on this!

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...