What could be the reason custom app alert is not w...

geekf · ‎05-24-2023

I have created a custom app and I get this error in Splunk

 Error in 'sendalert' command: Alert action script for action "list_ip" not found.

I am using list_ip in both alert_actions.conf and commands.conf. The Python file is in /bin. What could be the reason for this error?

Here are the file contents

commands.conf

[list_ip]
filename = list.py
command.arg.1 = $results.file$

alert_actions.conf

[list_ip]
label = List IP
description = This action will send IP addresses to a custom webhook
icon_path = icon.png
is_custom = 1
payload_format = json

list.py

#!/usr/bin/env python3

import csv
import json
import requests
import sys

def send_webhook(ip_list):
    url = "http://192.168.28.215:8080/list_ips"
    headers = {
        "Content-Type": "application/json; charset=utf-8"
    }
    data = {
        "ips": ip_list
    }
    response = requests.post(url, data=json.dumps(data), headers=headers)
    print(response.status_code)

def main():
    if len(sys.argv) > 1:
        results_file = sys.argv[1]  # retrieve the results file passed as argument
        ip_list = []

        with open(results_file, 'r') as file:
            reader = csv.DictReader(file)
            for row in reader:
                ip_list.append(row['ip'])

        send_webhook(ip_list)
    else:
        print("No arguments provided.")

if __name__ == "__main__":
    main()

What could be the reason custom app alert is not working?

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability for AI

Are you a member of the Splunk Community?

What could be the reason custom app alert is not working?

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability for AI