Archive
Highlighted

How to change Custom Adaptive response action success status message?

Explorer

alt text

As highlighted in above image, is it possible to change this success status message to show my own details for the custom adaptive response action which I have created?

Basically my requirement after running the action, I want to give some external clickable URL to user on UI.
If you have any other suggestion that is also welcome.
Also it will be good to know if we can override/update things by using JavaScript here.

Thank you.

0 Karma
Highlighted

Re: How to change Custom Adaptive response action success status message?

Splunk Employee
Splunk Employee

@niteshp, this is hardcoded in the javascript modal. I'd be interested to hear more about your use case for this. Are you attempting to set up some sort of "runbook" functionality to follow this custom adaptive response action?

0 Karma
Highlighted

Re: How to change Custom Adaptive response action success status message?

Explorer

@smoir
Thanks for your response.
Basically my use case is after running my custom adaptive response action, I want to provide an external clickable URL to user so that user can just click on that and jump to that location for further investigation.

Highlighted

Re: How to change Custom Adaptive response action success status message?

Builder

My recommendation would be to use the "drilldown_uri" specification within the Common Action Model to create a custom workflow:

## my_app/default/alert_actions.conf
action.<action>.param._cam = { <stuff> }

## drilldown_uri:     Specifies a custom target for viewing the events
##                    outputted as a result of the action.
##                    Custom target can specify app and/or view depending on syntax.
##                    Optional.
##                    For instance, "my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"

See SplunkSACIM/README/alert_actions.conf.spec for full Common Action Model specification

Highlighted

Re: How to change Custom Adaptive response action success status message?

Splunk Employee
Splunk Employee

Per @smoir and @hazekamp that particular message is simply an acknowledgment that Splunk was able to dispatch the action, not an indication of the status of the action itself. To determine if the dispatched action was successful, merely examine the "Adaptive Responses" area of the expanded Notable Event:

alt text

Highlighted

Re: How to change Custom Adaptive response action success status message?

Explorer

@kchamplin
Thanks for your reply.
How can I add last Action column in Adaptive Responses (in the table you have highlighted in your screenshot)?
And can I add my own external clickable URL there?

0 Karma
Highlighted

Re: How to change Custom Adaptive response action success status message?

Explorer

@hazekamp
Thanks your your response.

I will try using this but will this drilldown URL be visible on UI? if yes then where I can view that?

0 Karma
Highlighted

Re: How to change Custom Adaptive response action success status message?

Explorer

@hazekamp

I got it. I think drilldownuri can help to get what I actually want, but I am not able to generate URI for that, I mean I want to create the URI using hostname and SrcIP from my event details for which I have added variables in URI in alertactions.conf but those variables are not getting replaced with actual values whereas I am getting expected values in my alert python script.

0 Karma
Highlighted

Re: How to change Custom Adaptive response action success status message?

Builder

We don't do full blown token replacement here. We simply replace on $sid$ and $rid$ at this juncture. You are more than welcome to file an enhancement request.

0 Karma
Highlighted

Re: How to change Custom Adaptive response action success status message?

Explorer

Hi @hazekamp

is it possible to add other parameters from splunk event into drilldownuri along with $sid$ and $rid$?
For example : src
ip, dest, host etc?

Or can create a new view in splunk ES where I can redirect using drilldown_uri and will it be possible to access these fields?

0 Karma