Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk IT Service Intelligence 3.14: could you help me with custom actions?

Justinboucher0
Path Finder
‎09-07-2018 07:24 AM

Having trouble understanding the IT Service Intelligence (ITSI) custom actions documentation.

All I want to do is send an email from ITSI with the fields $result.subject$ and $result.body$ and the email address pre-filled out. In other words, we just want the analyst to be able to click on the action, and then, it would send the email to the right people with the right event information without them having to input the addresses or tokens. We also wanted to name it something meaningful other than "Send an Email". I wrote a simple Powershell Script to send the email, but I'm having a lot of trouble understanding how to create the custom action for this.

Essentially, I want the Actions box in ITSI to say "Create an Incident" and fire off my script:

createIncident.ps1 $result.subject$ $result.body$

But, I can't figure it out.

Can anyone assist please? We are using ITSI version 3.14. Thanks in advance.

Here is what I have so far, but I don't know where to put it:

import sys, subprocess

class CreateIncident(CustomEventActionBase):
    def __init__(self, settings):
        # initialize CustomEventActionBase
        super(CreateRemedyIncident, self).__init__(settings, self.logger)

    def run_script(self, event_subject, event_body):
        powerShellPath = r'C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe'
        powerShellCmd = "C:\createIncident.ps1"

        p = subprocess.Popen([powerShellPath, '-ExecutionPolicy', 'Unrestricted', powerShellCmd, event_subject, event_body]
                             , stdout=subprocess.PIPE, stderr=subprocess.PIPE)
        output, error = p.communicate()
        rc = p.returncode
        print "Return code given to Python script is: " + str(rc)
        print "\n\nstdout:\n\n" + str(output)
        print "\n\nstderr: " + str(error)

    def execute(self):
        # has all the logic of ping in here...
        event_subject = data.get('subject')
        event_body = data.get('body')

        std_out, std_err = self.run_script(event_subject, event_body)

        # do other stuff here, like add a comment to an ITSI Notable
        # or add a few tags, and so on....
        # change the state of the notable....
        for data in self.get_event():
            event_id = data.get('event_id')

            event = Event(self.get_session_key(), self.logger)
            event.create_comment(event_id, comment)
            event.create_comment(event_id, out)
            event.create_tag(event_id, 'Created Remedy Incident')
        return


if __name__ == '__main__':
    if len(sys.argv) > 1 and sys.argv[1] == '--execute':
        input_params = sys.stdin.read()
        createIncident = CreateIncident(input_params)
        createIncident.execute()
0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...