Splunk Dev
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Prepopulate inputs in custom Splunk ES adaptive response action

dmills_inov
Engager
‎11-17-2021 06:14 AM

I am currently in the process of building out a custom application which will include an adaptive response action that uses a python script to update a system's group based on events that come into our incident review page. I have all of the logic working (Correlation search identifies an event, creates a notable, from there I can select the AR action, input this systems GUID into the text box and it will go from there).

My issue is that I cannot get the correct configuration to have this field prepopulated when the menu is brought up based on the event in the notable. The configuration files I believe need to be updated are the alert_actions.conf, alert_actions.conf.spec, savedsearches.conf.spec, and <alert_action_name>.html files.

I have found some similar posts about this but nothing that gives details about the syntax needed for each file:

https://community.splunk.com/t5/Splunk-Enterprise-Security/Does-the-service-now-integration-work-as-...

https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Is-it-possible...

In my various config files I have the following lines:

alert_actions.conf:

param.hostname = $result.hostname$
param.connector_guid =$result.connector_guid$

alert_actions.conf.spec

param.hostname = <string>
param.cguid = <string>

savedsearches.conf.spec

param.hostname = <string>
param.cguid = <string>

<alert_action_name>.html

<form class="form-horizontal form-complex">
<div class="control-group">
	<label class="control-label" for="custom_app_hostname">Hostname <span class="required">*</span> </label>
    <div class="controls">
	<input type="text" name="action.custom_app.param.hostname" value="$hostname$" id="custom_app_hostname"/>
                <span class="help-block">Verify this is the correct hostname, if not then input from the alert.</span>
    </div>
</div>
<div class="control-group">
	<label class="control-label" for="custom_app_cguid">Connector GUID <span class="required">*</span> </label>
    <div class="controls">
	<input type="text" name="action.custom_app.param.connector_guid" value="$connector_guid$" id="custom_app_cguid"/>
    </div>
</div>
</form>

Below is the screenshot of the menu I am referring to needing to be prepopulated:Menu_Example.png

 

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmills_inov
Engager
‎01-12-2022 05:51 AM

Hello, update to this I as I figured out where I was going wrong. I had the idea that when I brought up the html page for the adaptive response that all the forms would fill in with their values from the event, instead copying from the Splunk example I configured my python script to instead pull the value of the field that I wanted (https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/adaptiveresponseframework/example....

So instead of opening up that page to input values, the page now has the field name which would be static for this process always, then when I hit run the python script can pull the value of the field from my event using this function (with field being my parameter set in my config):

parameter = result[self.configuration.get("field")]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dmills_inov
Engager
‎01-12-2022 05:51 AM

Hello, update to this I as I figured out where I was going wrong. I had the idea that when I brought up the html page for the adaptive response that all the forms would fill in with their values from the event, instead copying from the Splunk example I configured my python script to instead pull the value of the field that I wanted (https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/adaptiveresponseframework/example....

So instead of opening up that page to input values, the page now has the field name which would be static for this process always, then when I hit run the python script can pull the value of the field from my event using this function (with field being my parameter set in my config):

parameter = result[self.configuration.get("field")]

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top