I'm working with custom alert actions. I've taken most of my example from this example. It basically takes the xml written to stdin and writes it to a log. This works fine. I've added a UI element, with a couple fields that a user can write to. I'd like the input from this also written to this xml, so that I can pass it to my script. I can't figure out how to do this. The ui input does show up in savedsearches.conf. How can I get the value entered into the ui elements to be passed to my script?
This can be done with ARF in Splunk where you can have an input field to accept text input or a value and that value is passed to script to trigger soem action and remediate your use case.
This link shall answer your query to resolution. Follow the same.
Ok I figured out what I'm missing. As far as I could find, this isn't documented explicitly, though maybe I'm wrong I just couldn't find it.
I was missing the way this all links together. In alertactions.conf the [stanzaname] must be the same as the script it executes, which must be the same in savedsearches.conf action.stanzaname.param.foo. So in the UI html, you just use the action.stanzaname.param.foo when declaring the input.
I hope this explanation helps someone else in this position!
This was helpful. You are right about the documentation. It could be better. It's a little all over the place. I just needed a simple full example and I was confused about how it was being invoked. You answered my question. Thanks!
Hi @jbullough , I got the same problem where the variables declared in html cannot be passed to savedsearches.conf. I did double check and can confirm the names are identical as mentioned in your answer. Anything else may cause the issue?
html file as below:
``` <div class="control-group"> <label class="control-label" for="username">Username</label> <div class="controls"> <input type="text" name="action.fortigate_alert.param.username" id="username" /> <span class="help-block"> The name of user for Fortigate SSH login </span> </div> </div> <div class="control-group"> <label class="control-label" for="realm">Realm</label> <div class="controls"> <input type="text" name="action.fortigate_alert.param.realm" id="realm" /> <span class="help-block"> What is this user credential used for? </span> </div> </div>
savedsearches.conf.spec as below: