I'm creating custom alert action. I can use my alert action in save alert and Correlation search. But I meet a trouble.
When I type my string to alert action, it worked and my script received string. But I type variable string like: $src_ip$ is evil. After run this alert action, I found that I can received Notable events, but src_ip field is null.
How to pass Notable event field values to alert action?
If you are using your custom alert action directly in your search with
sendalert command then yes you can pass
$result.src_ip$ to your custom alert action. Have a look at https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsLog
I meet another trouble. When I want to use alert action in Incident Review, I can't find this action in Run Adaptive Response Actions. How do I config to invoke aler action in Incident Review. Thank you very much!
When you create custom alert action, you need to tick 'support' ad-hoc invocations [ you can see this when you build the add-on using Add-on builder], so the alert actions can work in ES framework and will be available in the list of adaptive response. http://dev.splunk.com/view/addon-builder/SP-CAAAFBS
I set it in App Import Updates in ES.
Application Regular Expression:
Last two name are my app name,is this set right?
That looks good, have you updated it via modifying conf file directly OR have you updated in Splunk ES Web ? If you updated it via modifying conf file directly then you need to restart splunk.
EDIT: You need to restart Splunk no matter how you modified it. See point 6 and 5 on this doc https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps#Import_add-ons_with_a_differ...