How to add validation for multiple parameters in c...

santosh_sshanbh · ‎02-21-2019

I have created a custom alert action which has 7-8 parameters. I have added few of them as below but this does not seems to be the correct way as the only last parameter is validated in this case.

[validation:savedsearch]
# Require parameters to be set if webhook action is enabled
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.url' == "action.snow_webhook.param.url" OR 'action.snow_webhook.param.url' == "", "No Webhook URL specified", 1==1, null())
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.assignment_group' == "action.snow_webhook.param.assignment_group" OR 'action.snow_webhook.param.assignment_group' == "", "Assignment Group cannot be empty", 1==1, null())
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.service_offering' == "action.snow_webhook.param.service_offering" OR 'action.snow_webhook.param.service_offering' == "", "Service Offering cannot be empty", 1==1, null())
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.description' == "action.snow_webhook.param.description" OR 'action.snow_webhook.param.description' == "", "Description cannot be empty", 1==1, null())
action.snow_webhook.param.url = validate(match('action.snow_webhook.param.url', "^https?://[^\s]+$"), "Webhook URL is invalid")

I tried to club those all in single statement like below, but this is also not working.

action.snow_webhook = case('action.snow_webhook'!= "1", null(), 'action.snow_webhook.param.url' == "action.snow_webhook.param.url" OR 'action.snow_webhook.param.url' == "", "No Webhook URL specified", 'action.snow_webhook.param.service_offering' == "action.snow_webhook.param.service_offering" OR 'action.snow_webhook.param.service_offering' == "", "No Service Offering specified", 1==1, null())

Can any one help me with how to achieve this?

harsmarvania57 · ‎02-21-2019

Hi,

Can you please try below config, it should work (This is same as you have provided in single line)

action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.url' == "action.snow_webhook.param.url" OR 'action.snow_webhook.param.url' == "", "No Webhook URL specified", 'action.snow_webhook.param.assignment_group' == "action.snow_webhook.param.assignment_group" OR 'action.snow_webhook.param.assignment_group' == "", "Assignment Group cannot be empty", 'action.snow_webhook.param.service_offering' == "action.snow_webhook.param.service_offering" OR 'action.snow_webhook.param.service_offering' == "", "Service Offering cannot be empty", 'action.snow_webhook.param.description' == "action.snow_webhook.param.description" OR 'action.snow_webhook.param.description' == "", "Description cannot be empty", 1==1, null())
action.snow_webhook.param.url = validate(match('action.snow_webhook.param.url', "^https?://[^\s]+$"), "Webhook URL is invalid")

EDIT: If above config will not work then can you please provide your alert_actions.conf (mask any sensitive data) ?

Additionally after every change in restmap.conf you need to restart splunk to take new configuration in effect.

santosh_sshanbh · ‎02-21-2019

I tried above config and restarted splunk but still no success. I am keep on getting error 'Assignment Group cannot be empty' even though I enter something in the Assignment Group text box.

Below are my config files

restmap.conf

[validation:savedsearch]
# Require parameters to be set if webhook action is enabled
action.snow_webhook = case('action.snow_webhook' != "1", null(), 'action.snow_webhook.param.url' == "action.snow_webhook.param.url" OR 'action.snow_webhook.param.url' == "", "No Webhook URL specified", 'action.snow_webhook.param.assignment_group' == "action.snow_webhook.param.assignment_group" OR 'action.snow_webhook.param.assignment_group' == "", "Assignment Group cannot be empty", 'action.snow_webhook.param.service_offering' == "action.snow_webhook.param.service_offering" OR 'action.snow_webhook.param.service_offering' == "", "Service Offering cannot be empty", 'action.snow_webhook.param.description' == "action.snow_webhook.param.description" OR 'action.snow_webhook.param.description' == "", "Description cannot be empty", 1==1, null())
action.snow_webhook.param.url = validate(match('action.snow_webhook.param.url', "^https?://[^\s]+$"), "Webhook URL is invalid")

alert_actions.conf

[snow_webhook]
is_custom = 1
label = Test Webhook
description = Call REST API POST URL
icon_path = webhook.png
payload_format = json
disabled = 0
param.user_agent = Splunk/$server.guid$

savedsearches.conf.spec

# Webhook alert action settings

action.snow_webhook = [0|1]
* Enable webhook action

action.snow_webhook.param.url = 
* URL to send the HTTP POST request to. Must be accessible from the Splunk server.

action.snow_webhook.param.assignment_group = 
* Assignment Group in SNOW. Must be accessible from the Splunk server.

action.snow_webhook.param.service_offering = 
* Service Offering in SNOW. Must be accessible from the Splunk server.

action.snow_webhook.param.description = 
* Incident description in SNOW. Must be accessible from the Splunk server.

harsmarvania57 · ‎02-22-2019

Everything looks good. I'll suggest to check whether splunk is picking correct config or not using btool, if everything looks good then enable DEBUG logging for AdminManager and check DEBUG logs.

santosh_sshanbh · ‎02-26-2019

I checked and correct conf files are loaded. However, setting the DEBUG mode for AdminMnager I saw below error in Splunkd.

02-26-2019 12:52:50.966 +0000 DEBUG AdminManager - URI /en-US/splunkd/__raw/servicesNS/myuser/search/saved/searches/Test%20ServiceNow generated an AdminManagerExceptionBase exception in handler 'savedsearch': Assignment Group cannot be empty

Any idea what this error could be?

harsmarvania57 · ‎02-26-2019

That error message saying that Assignment Group cannot be empty which you already got while assigning Alert Actions to the saved search. Can you please try to create new scheduled search and try to check whether you are getting same error or not while assigning custom alert action ?

santosh_sshanbh · ‎02-26-2019

The error I am getting is not during run time while the alert is triggered. I have added some validations to make sure that mandatory fields are set while configuring the alert ltself. The error message 'Assignment Group cannot be empty' is shown on the Alert Configuration screen itself.

harsmarvania57 · ‎02-26-2019

Yes I know that you are getting error while configuring custom alert action for Scheduled search. Can you please create fresh new scheduled search and try to assign custom alert action to that search ?

santosh_sshanbh · ‎02-26-2019

I created a new alert from scratch and tried to configure the custom alert. But getting same issue. Basically once the error is set, even though the value is entered for the associated control (text box), the error is not resetting.

harsmarvania57 · ‎02-26-2019

So does this mean that if you assign values in all text boxes from prior then no error will generate and alert action save with values and run properly on scheduled intervals ? What splunk version are you using and windows or linux ?

santosh_sshanbh · ‎02-26-2019

No. Even for the very first time though all text boxes are entered with some text, it is giving an error for 2nd control which is assignment group.

I have Splunk 7.2.3 on Windows platform.

harsmarvania57 · ‎02-26-2019

Sorry I don't have Splunk on Windows so can't replicate this, it is worth to log support case with splunk.