Hi!
I'm creating custom alert action. I can use my alert action in save alert and Correlation search. But I meet a trouble.
When I type my string to alert action, it worked and my script received string. But I type variable string like: $src_ip$ is evil. After run this alert action, I found that I can received Notable events, but src_ip field is null.
How to pass Notable event field values to alert action?
Hi,
Can you please try $result.src_ip$
instead of $src_ip$
?
You mean, I pass value when creating correlation search, I should use $result.src_ip$? Whether need I write some configuration in any conf ?
If you are using your custom alert action directly in your search with sendalert
command then yes you can pass $result.src_ip$
to your custom alert action. Have a look at https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsLog
I meet another trouble. When I want to use alert action in Incident Review, I can't find this action in Run Adaptive Response Actions. How do I config to invoke aler action in Incident Review. Thank you very much!
Have a look at this doc https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps , you need to configure ES so that it will import config from your custom alert actions app.
I had already import custom app at first. It seems that not work!
When you create custom alert action, you need to tick 'support' ad-hoc invocations [ you can see this when you build the add-on using Add-on builder], so the alert actions can work in ES framework and will be available in the list of adaptive response. http://dev.splunk.com/view/addon-builder/SP-CAAAFBS
I create it with manual, so I want to know manual to do !
What's your custom app name which contain alert action config ? and can you please provide ES app_imports_update://update_es
configuration ?
I set it in App Import Updates in ES.
Application Regular Expression: (appsbrowser)|(phantom)|(search)|([ST]A-.*)|(Splunk_[ST]A_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)|(send_notify)|(sao)
Last two name are my app name,is this set right?
That looks good, have you updated it via modifying conf file directly OR have you updated in Splunk ES Web ? If you updated it via modifying conf file directly then you need to restart splunk.
EDIT: You need to restart Splunk no matter how you modified it. See point 6 and 5 on this doc https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps#Import_add-ons_with_a_differ...
Uh,official doc was misleaded me. I set up param.cam in alert_actions.conf. It's appeared! Thank you for helping me! ^^
Uh, your first answer is right. I just write html and restart splunk, no need to moidfy configuration.Thnx!