Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is it possible to use a configuration stanza in we...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ramabu
Path Finder
01-30-2016
11:08 PM
I am sure this is not an existing syntax 🙂 and yet - is it possible to encode such URL-s?
======================
Feb 10th:
So I will sort of repeat the question:
If I POST to e.g. https://10.41.1.136/splunk/alerts?disposition=3&auth=MyApp%20206eb5cb3c-5c70-4cb7-8844-5a0407a43ca7, then everything works fine.
But '10.41.1.136' and '206eb5cb3c-5c70-4cb7-8844-5a0407a43ca7' actually configurable for the app. Is it possible to save the search in a "formal" format, and have actual values replace the formal ones upon alert being triggered?
I did see how to reference a result field, but it's is not useful in this case.
Thanks
rama
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ramabu
Path Finder
02-21-2016
04:04 AM
It appears that it is not possible,
But there are alternatives.
It would involve creating a custom alert action, which is actually a one-alert-app.
Once installed correctly, it shows in the list of actions in 'add actions', have a user interface, and more.
Using it, one can have the user explicitly state the required input for the action to complete successfully.
Its all here http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro
However, I could not follow the explanation until I read it from the perspective of it being a separate add-on.
I also tried to run a python script instead of a webhook. This option is smooth, but the script has to work out the required data by parsing the attached results, which can be quite challenging; with the webhook, the "fielded" result is attached in JSON
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ramabu
Path Finder
02-21-2016
04:04 AM
It appears that it is not possible,
But there are alternatives.
It would involve creating a custom alert action, which is actually a one-alert-app.
Once installed correctly, it shows in the list of actions in 'add actions', have a user interface, and more.
Using it, one can have the user explicitly state the required input for the action to complete successfully.
Its all here http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro
However, I could not follow the explanation until I read it from the perspective of it being a separate add-on.
I also tried to run a python script instead of a webhook. This option is smooth, but the script has to work out the required data by parsing the attached results, which can be quite challenging; with the webhook, the "fielded" result is attached in JSON
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
