I have created a custom alert action which has 7-8 parameters. I have added few of them as below but this does not seems to be the correct way as the only last parameter is validated in this case.
[validation:savedsearch]
# Require parameters to be set if webhook action is enabled
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.url' == "action.snow_webhook.param.url" OR 'action.snow_webhook.param.url' == "", "No Webhook URL specified", 1==1, null())
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.assignment_group' == "action.snow_webhook.param.assignment_group" OR 'action.snow_webhook.param.assignment_group' == "", "Assignment Group cannot be empty", 1==1, null())
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.service_offering' == "action.snow_webhook.param.service_offering" OR 'action.snow_webhook.param.service_offering' == "", "Service Offering cannot be empty", 1==1, null())
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.description' == "action.snow_webhook.param.description" OR 'action.snow_webhook.param.description' == "", "Description cannot be empty", 1==1, null())
action.snow_webhook.param.url = validate(match('action.snow_webhook.param.url', "^https?://[^\s]+$"), "Webhook URL is invalid")
I tried to club those all in single statement like below, but this is also not working.
action.snow_webhook = case('action.snow_webhook'!= "1", null(), 'action.snow_webhook.param.url' == "action.snow_webhook.param.url" OR 'action.snow_webhook.param.url' == "", "No Webhook URL specified", 'action.snow_webhook.param.service_offering' == "action.snow_webhook.param.service_offering" OR 'action.snow_webhook.param.service_offering' == "", "No Service Offering specified", 1==1, null())
Can any one help me with how to achieve this?
Hi,
Can you please try below config, it should work (This is same as you have provided in single line)
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.url' == "action.snow_webhook.param.url" OR 'action.snow_webhook.param.url' == "", "No Webhook URL specified", 'action.snow_webhook.param.assignment_group' == "action.snow_webhook.param.assignment_group" OR 'action.snow_webhook.param.assignment_group' == "", "Assignment Group cannot be empty", 'action.snow_webhook.param.service_offering' == "action.snow_webhook.param.service_offering" OR 'action.snow_webhook.param.service_offering' == "", "Service Offering cannot be empty", 'action.snow_webhook.param.description' == "action.snow_webhook.param.description" OR 'action.snow_webhook.param.description' == "", "Description cannot be empty", 1==1, null())
action.snow_webhook.param.url = validate(match('action.snow_webhook.param.url', "^https?://[^\s]+$"), "Webhook URL is invalid")
EDIT: If above config will not work then can you please provide your alert_actions.conf (mask any sensitive data) ?
Additionally after every change in restmap.conf you need to restart splunk to take new configuration in effect.
I tried above config and restarted splunk but still no success. I am keep on getting error 'Assignment Group cannot be empty' even though I enter something in the Assignment Group text box.
Below are my config files
[validation:savedsearch]
# Require parameters to be set if webhook action is enabled
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.url' == "action.snow_webhook.param.url" OR 'action.snow_webhook.param.url' == "", "No Webhook URL specified", 'action.snow_webhook.param.assignment_group' == "action.snow_webhook.param.assignment_group" OR 'action.snow_webhook.param.assignment_group' == "", "Assignment Group cannot be empty", 'action.snow_webhook.param.service_offering' == "action.snow_webhook.param.service_offering" OR 'action.snow_webhook.param.service_offering' == "", "Service Offering cannot be empty", 'action.snow_webhook.param.description' == "action.snow_webhook.param.description" OR 'action.snow_webhook.param.description' == "", "Description cannot be empty", 1==1, null())
action.snow_webhook.param.url = validate(match('action.snow_webhook.param.url', "^https?://[^\s]+$"), "Webhook URL is invalid")
[snow_webhook]
is_custom = 1
label = Test Webhook
description = Call REST API POST URL
icon_path = webhook.png
payload_format = json
disabled = 0
param.user_agent = Splunk/$server.guid$
# Webhook alert action settings
action.snow_webhook = [0|1]
* Enable webhook action
action.snow_webhook.param.url =
* URL to send the HTTP POST request to. Must be accessible from the Splunk server.
action.snow_webhook.param.assignment_group =
* Assignment Group in SNOW. Must be accessible from the Splunk server.
action.snow_webhook.param.service_offering =
* Service Offering in SNOW. Must be accessible from the Splunk server.
action.snow_webhook.param.description =
* Incident description in SNOW. Must be accessible from the Splunk server.
Everything looks good. I'll suggest to check whether splunk is picking correct config or not using btool, if everything looks good then enable DEBUG logging for AdminManager
and check DEBUG logs.
I checked and correct conf files are loaded. However, setting the DEBUG mode for AdminMnager I saw below error in Splunkd.
02-26-2019 12:52:50.966 +0000 DEBUG AdminManager - URI /en-US/splunkd/__raw/servicesNS/myuser/search/saved/searches/Test%20ServiceNow generated an AdminManagerExceptionBase exception in handler 'savedsearch': Assignment Group cannot be empty
Any idea what this error could be?
That error message saying that Assignment Group cannot be empty
which you already got while assigning Alert Actions to the saved search. Can you please try to create new scheduled search and try to check whether you are getting same error or not while assigning custom alert action ?
The error I am getting is not during run time while the alert is triggered. I have added some validations to make sure that mandatory fields are set while configuring the alert ltself. The error message 'Assignment Group cannot be empty' is shown on the Alert Configuration screen itself.
Yes I know that you are getting error while configuring custom alert action for Scheduled search. Can you please create fresh new scheduled search and try to assign custom alert action to that search ?
I created a new alert from scratch and tried to configure the custom alert. But getting same issue. Basically once the error is set, even though the value is entered for the associated control (text box), the error is not resetting.
So does this mean that if you assign values in all text boxes from prior then no error will generate and alert action save with values and run properly on scheduled intervals ? What splunk version are you using and windows or linux ?
No. Even for the very first time though all text boxes are entered with some text, it is giving an error for 2nd control which is assignment group.
I have Splunk 7.2.3 on Windows platform.
Sorry I don't have Splunk on Windows so can't replicate this, it is worth to log support case with splunk.