Developing for Splunk Enterprise

Splunk Addon builder alert action to store results in to a custom index

nareshkumarg
Path Finder

Hi Everyone,

I am working on an addon to collect event result based for an an alert and send it to an API endpoint. Once the response is success the endpoint returns a success message in a json format and I Want to store it in a custom index and sourcetype.

I tired using below code but the data is written to Main index instead of my custom index. Is there way to write the event in to custom index for an alert action build via Splunk Addon builder.

helper.addevent("hello", sourcetype="customsource")
helper.addevent("world", sourcetype="customsource")
helper.writeevents(index="mycustomindex", host="localhost", source="localhost")

Regards,

Naresh

0 Karma
1 Solution

rfaircloth_splu
Splunk Employee
Splunk Employee

I don't know of a solution that works as you want it to. What I would normally do is what I described where the remote side would log its results to Splunk using something like HEC, syslog or a UF

View solution in original post

0 Karma

nareshkumarg
Path Finder

@rfaircloth_splu I tried to use the following code but I got new_event is not available. Could you please let me know on how to load helper.new_event for alert action.

 

 event = helper.new_event(
                source="test source"
                index="mycustomindex" 
                sourcetype="Splunksource", 
                data="mydata"
                )
            ew.write_event(event)
0 Karma

nareshkumarg
Path Finder

Could some one help me on this. I am stuck on how to save the API call results back to splunk index for an alert action call.

Regards,

Naresh

0 Karma

nareshkumarg
Path Finder

Could some one help me on this. I am stuck on how to save the API call results back to splunk index for an alert action call.

Regards,

Naresh

0 Karma

rfaircloth_splu
Splunk Employee
Splunk Employee

I don't have a specific solution as you ask for but its a common practice to send events and receive results async so however you would collect events (file syslog hec) the response would come back over that method 

0 Karma

rfaircloth_splu
Splunk Employee
Splunk Employee

I honestly don't think you can the design of alert actions was to send the result to _internal its not a collection tool. 

0 Karma

nareshkumarg
Path Finder

@rfaircloth_splu I am not trying to write the event to _internal index. I am trying to store the data into my custom index. So is there a way to write the data into my custom index for my requirement using alert action?

0 Karma

rfaircloth_splu
Splunk Employee
Splunk Employee

I don't know of a solution that works as you want it to. What I would normally do is what I described where the remote side would log its results to Splunk using something like HEC, syslog or a UF

0 Karma

nareshkumarg
Path Finder

@rfaircloth_splu Yes I have that in place now using HEC. I was just wondering because if we use HEC method the traffic goes out and comes in. Instead if it can write the data without multiple hope should be great.

Anyway thank you for your reply @rfaircloth_splu  👍

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>