Alerting

Custom alert action ui input

jbullough
Path Finder

I'm working with custom alert actions. I've taken most of my example from this example. It basically takes the xml written to stdin and writes it to a log. This works fine. I've added a UI element, with a couple fields that a user can write to. I'd like the input from this also written to this xml, so that I can pass it to my script. I can't figure out how to do this. The ui input does show up in savedsearches.conf. How can I get the value entered into the ui elements to be passed to my script?

Thanks!

1 Solution

jbullough
Path Finder

Ok I figured out what I'm missing. As far as I could find, this isn't documented explicitly, though maybe I'm wrong I just couldn't find it.

I was missing the way this all links together. In alert_actions.conf the [stanza_name] must be the same as the script it executes, which must be the same in savedsearches.conf action.stanza_name.param.foo. So in the UI html, you just use the action.stanza_name.param.foo when declaring the input.

I hope this explanation helps someone else in this position!

View solution in original post

jbullough
Path Finder

Ok I figured out what I'm missing. As far as I could find, this isn't documented explicitly, though maybe I'm wrong I just couldn't find it.

I was missing the way this all links together. In alert_actions.conf the [stanza_name] must be the same as the script it executes, which must be the same in savedsearches.conf action.stanza_name.param.foo. So in the UI html, you just use the action.stanza_name.param.foo when declaring the input.

I hope this explanation helps someone else in this position!

hexxamillion
Explorer

This was helpful. You are right about the documentation. It could be better. It's a little all over the place. I just needed a simple full example and I was confused about how it was being invoked. You answered my question. Thanks!

0 Karma

diwaly2019
New Member

Hi @jbullough , I got the same problem where the variables declared in html cannot be passed to savedsearches.conf. I did double check and can confirm the names are identical as mentioned in your answer. Anything else may cause the issue?

html file as below:

    ```

<div class="control-group">
    <label class="control-label" for="username">Username</label>

    <div class="controls">
        <input type="text" name="action.fortigate_alert.param.username" id="username" />
        <span class="help-block">
          The name of user for Fortigate SSH login
        </span>
    </div>
</div>
<div class="control-group">
    <label class="control-label" for="realm">Realm</label>

    <div class="controls">
        <input type="text" name="action.fortigate_alert.param.realm" id="realm" />
        <span class="help-block">
          What is this user credential used for?
        </span>
    </div>
</div>

```

savedsearches.conf.spec as below:

action.fortigate_alert.param.username = <string>
action.fortigate_alert.param.realm = <string>

0 Karma

thinhdinh
Path Finder

@diwaly2019  you are missing underscore marks.

action.fortigate_alert.param.username = <string>
action.fortigate_alert.param.realm = <string>

Btw do you guys know how we are able to run javascript in this HTML file? 

0 Karma

nit123
Path Finder

This can be done with ARF in Splunk where you can have an input field to accept text input or a value and that value is passed to script to trigger soem action and remediate your use case.

This link shall answer your query to resolution. Follow the same.

0 Karma

jbullough
Path Finder

I appreciate the answer, no idea what ARF is. I got it working, thanks!

0 Karma

nit123
Path Finder

Cool. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...