I've been able to successfully access the 8 command line parameters passed into a regular alert action shell script just fine. Now I've graduated to building a custom alert action patterned after the python-based JIRA example.I can successfully access custom alert action parameters that I've defined in savedsearches.conf.spec and populated from a custom .html fragment. But I can't seem to also access the original 8 parameters in the same custom Python alert action script. How do I access both sets of parameters in the same script at the same time?
Thanks!
It turns out the entire circumstances of the alert were in fact available in the payload passed to my custom Python script via sys.stdin.read(). The example from which I derived this script only showed getting the custom configuration parameters via payload.get('configuration'). I had no idea there was a so much more structure to that payload because I couldn't find any Splunk documentation on it. I've included a snapshot of the full payload structure below. Respectfully suggest that Splunk folks incorporate some good explanation of this structure into their otherwise very helpful documentation.
Thanks very much for the pointers, jdonn. Cheers!
{"app":"",
"owner":"",
"results_file":"",
"results_link":"",
"server_host":"",
"server_uri":"",
"session_key":"",
"sid":"",
"search_name":"",
"configuration":{"myCustomParam1":"","myCustomParam2":"","myCustomParam3":"","myCustomParam4":"","myCustomParam5":""},
"result":{"_confstr":"",
"_eventtype_color":"",
"_indextime":"",
"_kv":"",
"_raw":"",
"_serial":"",
"_sourcetype":"",
"_time":"",
"date_hour":"",
"date_mday":"",
"date_minute":"",
"date_month":"",
"date_second":"",
"date_wday":"",
"date_year":"",
"date_zone":"",
"eventtype":"",
"host":"",
"index":"",
"linecount":"",
"punct":"",
"source":"",
"sourcetype":"",
"splunk_server":"",
"timeendpos":"",
"timestartpos":""}
}
It turns out the entire circumstances of the alert were in fact available in the payload passed to my custom Python script via sys.stdin.read(). The example from which I derived this script only showed getting the custom configuration parameters via payload.get('configuration'). I had no idea there was a so much more structure to that payload because I couldn't find any Splunk documentation on it. I've included a snapshot of the full payload structure below. Respectfully suggest that Splunk folks incorporate some good explanation of this structure into their otherwise very helpful documentation.
Thanks very much for the pointers, jdonn. Cheers!
{"app":"",
"owner":"",
"results_file":"",
"results_link":"",
"server_host":"",
"server_uri":"",
"session_key":"",
"sid":"",
"search_name":"",
"configuration":{"myCustomParam1":"","myCustomParam2":"","myCustomParam3":"","myCustomParam4":"","myCustomParam5":""},
"result":{"_confstr":"",
"_eventtype_color":"",
"_indextime":"",
"_kv":"",
"_raw":"",
"_serial":"",
"_sourcetype":"",
"_time":"",
"date_hour":"",
"date_mday":"",
"date_minute":"",
"date_month":"",
"date_second":"",
"date_wday":"",
"date_year":"",
"date_zone":"",
"eventtype":"",
"host":"",
"index":"",
"linecount":"",
"punct":"",
"source":"",
"sourcetype":"",
"splunk_server":"",
"timeendpos":"",
"timestartpos":""}
}
Hi,
I have always used Perl for this, but that should not matter. The arguments are passed in @ARGV. I Googled how to access that in Python and I found these two link pretty useful:
http://www.pythonforbeginners.com/system/python-sys-argv
http://stackoverflow.com/questions/4117530/sys-argv1-meaning-in-script
I hope that helps.
Thank you. When my python script is run, it sees len(sys.argv) = 2. sys.argv[0]=full path to my script, and sys.argv[1]='--execute' both of which I expect. Per the Jira example, the script does a sys.stdin.read() to get the 'payload', which contains the custom parameters I've defined in savedsearches.conf.spec. So perhaps a better question is 'how do I get the 8 standard parameters to be included in the payload'. Here's the script I adapted from the Jira example.
import sys
import json
import requests
from myapp_helpers import get_myapp_password
def send_message(payload):
config = payload.get('configuration')
EXECUTE_ASYNC_PATH = "/mypath"
url = config.get('myapp_url')
myapp_url = url + EXECUTE_ASYNC_PATH
body = json.dumps({
mybody
})
print >> sys.stderr, "*****about to POST to: %s" % url
try:
headers = {"Content-Type": "application/json"}
result = requests.post(url=myapp_url, data=body, headers=headers)
print >>sys.stderr, "INFO myapp app launch HTTP status= %s" % result
print >>sys.stderr, "INFO myappapp launch server response: %s" % config
except Exception, e:
print >> sys.stderr, "ERROR Error sending message: %s" % e
return False
if __name__ == "__main__":
if len(sys.argv) > 1 and sys.argv[1] == "--execute":
print >> sys.stderr, "****HERE IS THE len(sys.argv)****: %s" % len(sys.argv)
print >> sys.stderr, "****HERE IS THE sys.argv****: %s" % sys.argv
try:
raw_payload = sys.stdin.read()
payload = json.loads(raw_payload)
send_message(payload)
except Exception, e:
print >> sys.stderr, "ERROR Unexpected error: %s" % e
sys.exit(3)
else:
print >> sys.stderr, "FATAL Unsupported execution mode (expected --execute flag)"
sys.exit(1)
Appreciate the help!
I have created a setup.xml file for my app and saving user name and password in alert_actions.conf. I am reading those parameters in Python script using similar code mentioned here. But the problem I am facing is the configuration passed to the python script does not gets the updated values of the service end points I used.
Hey, sorry about the formatting mess...
I am out of my depth here for Python specifics, but I did find another example Python script - https://github.com/georgestarcher/Splunk-Alert
Perhaps the answer is in there?
I tried os.environ['SPLUNK_ARG_8'] as shown in the cited example, but no SPLUNK_ARGs were in the environment. I did finally figure it out - explained the next post.