Splunk Enterprise Security

Why does the alert action I created with Add-on builder fire in Test, but not as an alert action for a Correlation Search?


I created an alert action using the latest verison of Add-on Builder (v2.2) using some other Splunk answers posts as a reference. When testing the Alert action in Add-on builder it works and calls the executable correctly sending an event to a ticketing system. When I attempt to use the same code as an alert action for a Correlation Search, it fails. Here's the code from modalert_sendevent_helper.py:

# encoding = utf-8

import os
import sys
import time
import datetime
import subprocess

def process_event(helper, *args, **kwargs):
# Do not remove the anchor macro:start and macro:end lines.
# These lines are used to generate sample code. If they are
# removed, the sample code will not be updated when configurations
# are updated.


# The following example gets the alert action parameters and prints them to the log
title = helper.get_param("title")

hostname = helper.get_param("hostname")

severity = helper.get_param("severity")

sid = helper.get_param("sid")

message = helper.get_param("message")

# The following example adds two sample events ("hello", "world")
# and writes them to Splunk
# NOTE: Call helper.writeevents() only once after all events
# have been added
helper.addevent("hello", sourcetype="sample_sourcetype")
helper.addevent("world", sourcetype="sample_sourcetype")
helper.writeevents(index="summary", host="localhost", source="localhost")

# The following example gets the events that trigger the alert
events = helper.get_events()
for event in events:

# helper.settings is a dict that includes environment configuration
# Example usage: helper.settings["server_uri"]

helper.log_info("Alert action sendevent started.")

# TODO: Implement your alert action logic here

# Remove characters that will break SendEvent syntax
title=helper.get_param("title").replace('"', '').replace("'", '')
message=helper.get_param("message").replace('"', '').replace("'", '')
hostname=helper.get_param("hostname").replace('"', '').replace("'", '')
severity=helper.get_param("severity").replace('"', '').replace("'", '')
sid=helper.get_param("sid").replace('"', '').replace("'", '')

# value2="-m "+"'"+variable+"'"
# value6="-s "+helper.get_param("severity")

# TODO: Implement your alert action logic here
value2="-q SplunkES"
value3="-a "+"'"+title+"'"
value4="-n "+"'"+hostname+"'"
value5="-p PROFILE"
value6="-s "+"'"+severity+"'"
value7="-k "+"'"+sid+"'"
value8="-c SERVER"
value9="-m "+"'"+message+"'"
os.system("/opt/splunk/etc/apps/TA-sendevent/bin/SendEvent %s %s %s %s %s %s %s %s %s" % (value1,value2,value3,value4,value5,value6,value7,value8,value9))

return 0  

My alert_actions.conf file is below:

is_custom = 1
description = Send a ticket
payload_format = json
icon_path = alert_sendevent.png
param._cam = {"task": ["create"], "subject": ["splunk.event"], "category": ["Information Conveyance"], "technology": [{"version": ["1.0"], "product": "Splunk Enterprise", "vendor": "Splunk"}]}
label = SendEvent

param.message  =
param.hostname = 
param.sid      =
param.severity = 
param.title    =

I can see my successful attempts in Add-on Builder in the Splunk logs (sendmodalert), but not sure what I'm missing outside of test.
Do I need to specify a command parameter in my alert_actions.conf file above (i.e. command = sendalert sendevent.py)?
I've tried several methods of triggering it in the alert_actions.conf file using command option, but none have worked so far.
Any help is much appreciated.

0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...