Splunk Dev

How do I get the 8 standard alert action script parameters AND custom parameters defined in savedsearches.conf.spec into a custom Python alert action script at the same time?

fsw2364
Path Finder

I've been able to successfully access the 8 command line parameters passed into a regular alert action shell script just fine. Now I've graduated to building a custom alert action patterned after the python-based JIRA example.I can successfully access custom alert action parameters that I've defined in savedsearches.conf.spec and populated from a custom .html fragment. But I can't seem to also access the original 8 parameters in the same custom Python alert action script. How do I access both sets of parameters in the same script at the same time?

Thanks!

1 Solution

fsw2364
Path Finder

It turns out the entire circumstances of the alert were in fact available in the payload passed to my custom Python script via sys.stdin.read(). The example from which I derived this script only showed getting the custom configuration parameters via payload.get('configuration'). I had no idea there was a so much more structure to that payload because I couldn't find any Splunk documentation on it. I've included a snapshot of the full payload structure below. Respectfully suggest that Splunk folks incorporate some good explanation of this structure into their otherwise very helpful documentation.

Thanks very much for the pointers, jdonn. Cheers!

{"app":"",
"owner":"",
"results_file":"",
"results_link":"",
"server_host":"",
"server_uri":"",
"session_key":"",
"sid":"",
"search_name":"",
"configuration":{"myCustomParam1":"","myCustomParam2":"","myCustomParam3":"","myCustomParam4":"","myCustomParam5":""},
"result":{"_confstr":"",
    "_eventtype_color":"",
    "_indextime":"",
    "_kv":"",
    "_raw":"",
    "_serial":"",
    "_sourcetype":"",
    "_time":"",
    "date_hour":"",
    "date_mday":"",
    "date_minute":"",
    "date_month":"",
    "date_second":"",
    "date_wday":"",
    "date_year":"",
    "date_zone":"",
    "eventtype":"",
    "host":"",
    "index":"",
    "linecount":"",
    "punct":"",
    "source":"",
    "sourcetype":"",
    "splunk_server":"",
    "timeendpos":"",
    "timestartpos":""}
}

View solution in original post

fsw2364
Path Finder

It turns out the entire circumstances of the alert were in fact available in the payload passed to my custom Python script via sys.stdin.read(). The example from which I derived this script only showed getting the custom configuration parameters via payload.get('configuration'). I had no idea there was a so much more structure to that payload because I couldn't find any Splunk documentation on it. I've included a snapshot of the full payload structure below. Respectfully suggest that Splunk folks incorporate some good explanation of this structure into their otherwise very helpful documentation.

Thanks very much for the pointers, jdonn. Cheers!

{"app":"",
"owner":"",
"results_file":"",
"results_link":"",
"server_host":"",
"server_uri":"",
"session_key":"",
"sid":"",
"search_name":"",
"configuration":{"myCustomParam1":"","myCustomParam2":"","myCustomParam3":"","myCustomParam4":"","myCustomParam5":""},
"result":{"_confstr":"",
    "_eventtype_color":"",
    "_indextime":"",
    "_kv":"",
    "_raw":"",
    "_serial":"",
    "_sourcetype":"",
    "_time":"",
    "date_hour":"",
    "date_mday":"",
    "date_minute":"",
    "date_month":"",
    "date_second":"",
    "date_wday":"",
    "date_year":"",
    "date_zone":"",
    "eventtype":"",
    "host":"",
    "index":"",
    "linecount":"",
    "punct":"",
    "source":"",
    "sourcetype":"",
    "splunk_server":"",
    "timeendpos":"",
    "timestartpos":""}
}

jdonn_splunk
Splunk Employee
Splunk Employee

Hi,

I have always used Perl for this, but that should not matter. The arguments are passed in @ARGV. I Googled how to access that in Python and I found these two link pretty useful:

http://www.pythonforbeginners.com/system/python-sys-argv

http://stackoverflow.com/questions/4117530/sys-argv1-meaning-in-script

I hope that helps.

0 Karma

fsw2364
Path Finder

Thank you. When my python script is run, it sees len(sys.argv) = 2. sys.argv[0]=full path to my script, and sys.argv[1]='--execute' both of which I expect. Per the Jira example, the script does a sys.stdin.read() to get the 'payload', which contains the custom parameters I've defined in savedsearches.conf.spec. So perhaps a better question is 'how do I get the 8 standard parameters to be included in the payload'. Here's the script I adapted from the Jira example.

import sys
import json
import requests
from myapp_helpers import get_myapp_password
def send_message(payload):
    config = payload.get('configuration')
    EXECUTE_ASYNC_PATH = "/mypath"
    url = config.get('myapp_url')
    myapp_url = url + EXECUTE_ASYNC_PATH
    body = json.dumps({
        mybody
        })
    print >> sys.stderr, "*****about to POST to: %s" % url
    try:
        headers = {"Content-Type": "application/json"}
        result = requests.post(url=myapp_url, data=body, headers=headers)
        print >>sys.stderr, "INFO myapp app launch HTTP status= %s" % result
        print >>sys.stderr, "INFO myappapp launch server response: %s" % config
    except Exception, e:
        print >> sys.stderr, "ERROR Error sending message: %s" % e
        return False

if __name__ == "__main__":
    if len(sys.argv) > 1 and sys.argv[1] == "--execute":
        print >> sys.stderr, "****HERE IS THE len(sys.argv)****: %s" % len(sys.argv)
        print >> sys.stderr, "****HERE IS THE sys.argv****: %s" % sys.argv
        try:
           raw_payload = sys.stdin.read()
            payload = json.loads(raw_payload)
            send_message(payload)
        except Exception, e:
            print >> sys.stderr, "ERROR Unexpected error: %s" % e
            sys.exit(3)
    else:
        print >> sys.stderr, "FATAL Unsupported execution mode (expected --execute flag)"
        sys.exit(1)

Appreciate the help!

0 Karma

santosh_sshanbh
Path Finder

I have created a setup.xml file for my app and saving user name and password in alert_actions.conf. I am reading those parameters in Python script using similar code mentioned here. But the problem I am facing is the configuration passed to the python script does not gets the updated values of the service end points I used.

0 Karma

fsw2364
Path Finder

Hey, sorry about the formatting mess...

0 Karma

jdonn_splunk
Splunk Employee
Splunk Employee

I am out of my depth here for Python specifics, but I did find another example Python script - https://github.com/georgestarcher/Splunk-Alert

Perhaps the answer is in there?

0 Karma

fsw2364
Path Finder

I tried os.environ['SPLUNK_ARG_8'] as shown in the cited example, but no SPLUNK_ARGs were in the environment. I did finally figure it out - explained the next post.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...