All Apps and Add-ons

Splunk Add-on Builder: How to edit my Python code to pull the value of event for an alert?

Path Finder

I am new to Python and to the Splunk Add-On Builder but I have been figuring it out so far but now I am at the point that I am stuck. I have been trying to build a new alert option for our Splunk instance. I am able to execute a binary and pass my parameters to it when called but I have been unable to figure out the correct code to use in order to grab the event that triggered the alert.

If you look at the Python code below, look specifically at this...

value2="-m "+"'"+"SPLUNK EVENT VALUE SHOULD BE HERE"+"'"

I am attempting to figure out how to pull the value of the event which set off the alert and assign it to value2. Below is my full code. Any aid would be highly appreciated. Thank you!

# encoding = utf-8

import os
import sys
import time
import datetime
import subprocess

def process_event(helper, *args, **kwargs):
    """
    # IMPORTANT
    # Do not remove the anchor macro:start and macro:end lines.
    # These lines are used to generate sample code. If they are
    # removed, the sample code will not be updated when configurations
    # are updated.

    [sample_code_macro:start]

    # The following example gets the alert action parameters and prints them to the log
    gfs_impact = helper.get_param("gfs_impact")
    helper.log_info("gfs_impact={}".format(gfs_impact))

    gfs_urgency = helper.get_param("gfs_urgency")
    helper.log_info("gfs_urgency={}".format(gfs_urgency))

    easyvista_category_id = helper.get_param("easyvista_category_id")
    helper.log_info("easyvista_category_id={}".format(easyvista_category_id))


    # The following example adds two sample events ("hello", "world")
    # and writes them to Splunk
    # NOTE: Call helper.writeevents() only once after all events
    # have been added
    helper.addevent("hello", sourcetype="sample_sourcetype")
    helper.addevent("world", sourcetype="sample_sourcetype")
    helper.writeevents(index="summary", host="localhost", source="localhost")

    # The following example gets the events that trigger the alert
    events = helper.get_events()
    for event in events:
        helper.log_info("event={}".format(event))

    # helper.settings is a dict that includes environment configuration
    # Example usage: helper.settings["server_uri"]
    helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
    [sample_code_macro:end]
    """

    helper.log_info("Alert action OMNIbus started.")

    # TODO: Implement your alert action logic here
    value1="-f /lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/config.ini"
    value2="-m "+"'"+"SPLUNK EVENT VALUE SHOULD BE HERE"+"'"
    value3="GFS_Impact="+helper.get_param("gfs_impact")
    value4="GFS_Urgency="+helper.get_param("gfs_urgency")
    value5="ISOC_Instructions="+"'"+helper.get_param("easyvista_category_id")+"'"
    value6="Generic"
    value7="Generic"
    os.system("/lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/posteifmsg %s %s %s %s %s %s %s" % (value1,value2,value3,value4,value5,value6,value7))
    return 0
0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hi,

When developing this in Add-on builder just test that the parameters work with values that you pass/hardcode. Tokenization is automatically handled by alert action framework.
To test this out, after you are done building alert action (make sure you restart Splunk), you can use $result.fieldname$ to dynamically pass a value from a given alert results field. Check out "Pass search result values to alert action tokens" section of this doc link for more details
http://docs.splunk.com/Documentation/Splunk/6.5.1/AdvancedDev/ModAlertsLog

You can test this out using send alert command as such:
index=_internal | head 1| eval fieldname="xyz" | sendalert myalertname param.abc="$result.fieldname$"

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Hi,

When developing this in Add-on builder just test that the parameters work with values that you pass/hardcode. Tokenization is automatically handled by alert action framework.
To test this out, after you are done building alert action (make sure you restart Splunk), you can use $result.fieldname$ to dynamically pass a value from a given alert results field. Check out "Pass search result values to alert action tokens" section of this doc link for more details
http://docs.splunk.com/Documentation/Splunk/6.5.1/AdvancedDev/ModAlertsLog

You can test this out using send alert command as such:
index=_internal | head 1| eval fieldname="xyz" | sendalert myalertname param.abc="$result.fieldname$"

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

yes - helper.get_param("abc") would allow you to use static or dynamic values passed from search results triggering the alert.

0 Karma

Builder

I have built an alert action for an API call to a security device. I can invoke it manually by running a search: "host=something find_something_bad | stats count by item1 item2 item3 | sendalert cool_api_action param.item1="$result.item1$"." However when I have the alert scheduled and configured as such: "host=something find_something_bad | stats count by item1 item2 item3" it sends an email but the API call isn't working. I have the search scheduled and have the action alert and email configured as actions. Any assistance would be appreciated.

0 Karma

Splunk Employee
Splunk Employee

I would check that the alert is getting fired first by looking at the alerts history. if it is, i would check it it works without tokenization

0 Karma

Builder

The alert is being fired. There is an email action along with the custom alert action. I get an email but it does not appear that the API call is successful. How would I test this without tokenization?

0 Karma

Builder

I have it scheduled and it is working, however I have to leave "| sendalert param.item1="$result.item1$" " at the end of the search or it doesn't work. Is this expected behavior?

0 Karma

Path Finder

I would say yes. That is the same thing I found. The only way I could make it so that a value from a search is passed is to have it declared within the search itself like you are doing above. If there is another way, I never found it.

0 Karma

Builder

I figured out my issue. I did not have alert action inputs defined. And after I defined them, I needed to add the the token $result.fieldname$, where fieldname was the actual field from the search results, as the default value for the alert action input. Another way to accomplish this would be to manually edit the alert_actions.conf file and add the line param.item = $result.fieldname$. I found what I needed in this doc: https://docs.splunk.com/Documentation/Splunk/6.5.2/AdvancedDev/CustomAlertConfig. Thanks

0 Karma

Splunk Employee
Splunk Employee

Hi jodros,

thats the proper way to use it in alert action. we need to update the doc in AoB as well to highlight the same.

0 Karma

Path Finder

Ah! I see. So as long as I account for helper.get_param("abc") it should pull it in then? As long as it was supplied in the search that set off the alert that is. Does that sound correct?

Just trying to make sure I account for how the syntax should be in the script.
So like this....

 value2="-m "+"'"helper.get_param("abc")"'"

Correct? And BIG THANK YOU for the assistance on this!

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!