Splunk Dev

Creating my first app/webhook - How do I get the results of the alert and add them to my payload?


I am a total noob with Splunk and Python.
I have created an app that is similar to the Webook app.
It is to send a JSON payload to a Glip webhook.
Everything works, except I would like to send the results that generated the alert.

This is my glip.py

import sys, json
import urllib2
import re
from collections import OrderedDict

def url_decode(urlstring):
    return urllib2.unquote(urlstring).decode('utf8')

def decode_all_urls(messagestring):
    urlre = r'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+'
    return re.sub(urlre, decode_all_matching_urls, messagestring)

def decode_all_matching_urls(match):
    match = match.group()
    return url_decode(match)

def send_glip_message(settings):
    params = dict()

    # Decode the results link since it was already encoded; otherwise, it will be double encoded
    params['body'] = settings.get('message')
    params['icon'] = settings.get('iconurl')
    params['activity'] = settings.get('activity')
    params['title'] = settings.get('title')

    url = settings.get('webhook_url')

    body = json.dumps(params)
    print >> sys.stderr, 'DEBUG Calling url="%s" with body=%s' % (url, body)
    req = urllib2.Request(url, body, {"Content-Type": "application/json"})
        res = urllib2.urlopen(req)
        body = res.read()
        print >> sys.stderr, "INFO Glip API responded with HTTP status=%d" % res.code
        print >> sys.stderr, "DEBUG Glip API response: %s" % json.dumps(body)
        return 200 <= res.code < 300
    except urllib2.HTTPError, e:
        print >> sys.stderr, "ERROR Error sending message: %s" % e
        return False

if __name__ == '__main__':
    if len(sys.argv) > 1 and sys.argv[1] == "--execute":
        payload = json.loads(sys.stdin.read())
        config = payload.get('configuration')
        if not send_glip_message(config):
            print >> sys.stderr, "FATAL Sending the glip message failed"

So I am not sure how to get the results of the alert and add them to my payload.
Thanks for any help.

0 Karma

Path Finder
0 Karma
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...