Developing for Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Addon builder alert action to store results in to a custom index

nareshkumarg
Path Finder
‎09-29-2020 08:19 AM

Hi Everyone,

I am working on an addon to collect event result based for an an alert and send it to an API endpoint. Once the response is success the endpoint returns a success message in a json format and I Want to store it in a custom index and sourcetype.

I tired using below code but the data is written to Main index instead of my custom index. Is there way to write the event in to custom index for an alert action build via Splunk Addon builder.

helper.addevent("hello", sourcetype="customsource")
helper.addevent("world", sourcetype="customsource")
helper.writeevents(index="mycustomindex", host="localhost", source="localhost")

Regards,

Naresh

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rfaircloth_splu
Splunk Employee
Splunk Employee
‎10-02-2020 07:34 AM

I don't know of a solution that works as you want it to. What I would normally do is what I described where the remote side would log its results to Splunk using something like HEC, syslog or a UF

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nareshkumarg
Path Finder
‎10-01-2020 02:03 PM

@rfaircloth_splu I tried to use the following code but I got new_event is not available. Could you please let me know on how to load helper.new_event for alert action.

 

 event = helper.new_event(
                source="test source"
                index="mycustomindex" 
                sourcetype="Splunksource", 
                data="mydata"
                )
            ew.write_event(event)
0 Karma
Reply
Solved! Jump to solution

nareshkumarg
Path Finder
‎10-01-2020 07:22 AM

Could some one help me on this. I am stuck on how to save the API call results back to splunk index for an alert action call.

Regards,

Naresh

0 Karma
Reply
Solved! Jump to solution

nareshkumarg
Path Finder
‎09-29-2020 01:09 PM

Could some one help me on this. I am stuck on how to save the API call results back to splunk index for an alert action call.

Regards,

Naresh

0 Karma
Reply
Solved! Jump to solution

rfaircloth_splu
Splunk Employee
Splunk Employee
‎10-01-2020 01:39 PM

I don't have a specific solution as you ask for but its a common practice to send events and receive results async so however you would collect events (file syslog hec) the response would come back over that method 

0 Karma
Reply
Solved! Jump to solution

rfaircloth_splu
Splunk Employee
Splunk Employee
‎10-01-2020 02:13 PM

I honestly don't think you can the design of alert actions was to send the result to _internal its not a collection tool. 

0 Karma
Reply
Solved! Jump to solution

nareshkumarg
Path Finder
‎10-02-2020 06:35 AM

@rfaircloth_splu I am not trying to write the event to _internal index. I am trying to store the data into my custom index. So is there a way to write the data into my custom index for my requirement using alert action?

0 Karma
Reply
Solved! Jump to solution
Solution

rfaircloth_splu
Splunk Employee
Splunk Employee
‎10-02-2020 07:34 AM

I don't know of a solution that works as you want it to. What I would normally do is what I described where the remote side would log its results to Splunk using something like HEC, syslog or a UF

0 Karma
Reply
Solved! Jump to solution

nareshkumarg
Path Finder
‎10-02-2020 07:50 AM

@rfaircloth_splu Yes I have that in place now using HEC. I was just wondering because if we use HEC method the traffic goes out and comes in. Instead if it can write the data without multiple hope should be great.

Anyway thank you for your reply @rfaircloth_splu  👍

0 Karma
Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!