Archive
Highlighted

How to generate alerts programmatically?

New Member

Hi,

I want to achieve this,
Whenever we search something in Splunk, I want to return the search url along with the splunk results.
Manually, I created an alert in Splunk which triggers every hour and returns the View Results link.
How can I do it programmatically? I don't want to create alerts manually like this.
Please help.

TIA.

Tags (1)
0 Karma
Highlighted

Re: How to generate alerts programmatically?

Legend

@deshpandevikasv, can you please describe as to what you want to achieve/mean by "programatically"?

Sending email is one of the alert actions.

You can also send emails from
1) Dashboards: http://docs.splunk.com/Documentation/SplunkCloud/latest/Report/GeneratePDFsofyourreportsanddashboard...
2) Scheduled Reports : https://docs.splunk.com/Documentation/Splunk/latest/Report/Schedulereports#Define_a_Send_Email_actio...
3) sendemail SPL command: http://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to generate alerts programmatically?

New Member

Thank you for the comment @niketnilay!
By programmatically I meant to create an alert through a java program depending on the input I get from another service.

0 Karma
Highlighted

Re: How to generate alerts programmatically?

Legend

@deshpandevikasv, Seems like you want to create the send email from outside of Splunk without having to create an Alert in Splunk.

You might have to go for either:
(1) Calling Splunk REST API to Authenticate and connect to Splunk and execute a SPLUNK search with sendemail command to trigger the email (http://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches) or
(2) Use Splunk SDK for Java to perform similar activities (http://dev.splunk.com/java).




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to generate alerts programmatically?

New Member

Thank you @niketnilay. I was able to create an alert and if i run the same code again it gives me "Saved Search already exists error" which is expected. But I am not able to see that alert being created in Splunk web UI. Have any idea why?

TIA.

0 Karma
Highlighted

Re: How to generate alerts programmatically?

New Member

@deshpandevikasv can you share the code to create alert ?

0 Karma
Highlighted

Re: How to generate alerts programmatically?

Champion

Manually, I created an alert in Splunk which triggers every hour and returns the View Results link ///

may i know how you get this "View Results" link?
this is on Linux or windows?

0 Karma
Highlighted

Re: How to generate alerts programmatically?

New Member

@inventsekar, I get the View Results link in the email which is the action set to work when the alert is triggered every hour. And, I am using Mac which shouldn't matter since this is just an alert triggered in splunk web ui and the action is to send an email.

0 Karma
Highlighted

Re: How to generate alerts programmatically?

Splunk Employee
Splunk Employee

If you are wanting to generate your own link directly to the results you'll need to find out the Search ID (SID) of the query you just ran. The easiest way to do this is via the addinfo command. For example:

index=awesome_data earliest=-60m | ...  | addinfo

This will add a few fields to all of your event results, but the one you care about is info_sid. You can use this field to build your own reference to the results of the search. The search page within Splunk can take a form field named sid with the value of the Search ID like the following:

https://splunk.deshpandevikasv.com/en-US/app/search/search?sid=1501109999.63975

So if you wanted to do this within the search you could do something like this:

index=awesome_data earliest=-60m | ...  | addinfo | eval results_url="https://splunk.deshpandevikasv.com/en-US/app/search/search?sid=" . info_sid

When you go to the link with a provided sid then Splunk will find the results from that prior query from the dispatch directory.

A couple notes:

  1. Keep in mind the default retention of search results. You don't want Splunk to delete the results after 10m if you want to access the data via URL for a couple days. If you're doing this via a Scheduled Search then make sure you set the TTL of the results appropriately. This will also impact disk space if you are saving lots of results for a long time.
  2. You might not want to go directly to the Search page - but obtaining that sid using the addinfo command is the key take-away. That sid value can be used other places once you have it (e.g. using the loadjob command)
0 Karma
Highlighted

Re: How to generate alerts programmatically?

New Member

Thank you @jhupka [Splunk]. Will try this as well.

0 Karma