Splunk IT Service Intelligence

Splunk IT Service Intelligence 3.14: could you help me with custom actions?

Path Finder

Having trouble understanding the IT Service Intelligence (ITSI) custom actions documentation.

All I want to do is send an email from ITSI with the fields $result.subject$ and $result.body$ and the email address pre-filled out. In other words, we just want the analyst to be able to click on the action, and then, it would send the email to the right people with the right event information without them having to input the addresses or tokens. We also wanted to name it something meaningful other than "Send an Email". I wrote a simple Powershell Script to send the email, but I'm having a lot of trouble understanding how to create the custom action for this.

Essentially, I want the Actions box in ITSI to say "Create an Incident" and fire off my script:

createIncident.ps1 $result.subject$ $result.body$

But, I can't figure it out.

Can anyone assist please? We are using ITSI version 3.14. Thanks in advance.

Here is what I have so far, but I don't know where to put it:

import sys, subprocess

class CreateIncident(CustomEventActionBase):
    def __init__(self, settings):
        # initialize CustomEventActionBase
        super(CreateRemedyIncident, self).__init__(settings, self.logger)

    def run_script(self, event_subject, event_body):
        powerShellPath = r'C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe'
        powerShellCmd = "C:\createIncident.ps1"

        p = subprocess.Popen([powerShellPath, '-ExecutionPolicy', 'Unrestricted', powerShellCmd, event_subject, event_body]
                             , stdout=subprocess.PIPE, stderr=subprocess.PIPE)
        output, error = p.communicate()
        rc = p.returncode
        print "Return code given to Python script is: " + str(rc)
        print "\n\nstdout:\n\n" + str(output)
        print "\n\nstderr: " + str(error)

    def execute(self):
        # has all the logic of ping in here...
        event_subject = data.get('subject')
        event_body = data.get('body')

        std_out, std_err = self.run_script(event_subject, event_body)

        # do other stuff here, like add a comment to an ITSI Notable
        # or add a few tags, and so on....
        # change the state of the notable....
        for data in self.get_event():
            event_id = data.get('event_id')

            event = Event(self.get_session_key(), self.logger)
            event.create_comment(event_id, comment)
            event.create_comment(event_id, out)
            event.create_tag(event_id, 'Created Remedy Incident')

if __name__ == '__main__':
    if len(sys.argv) > 1 and sys.argv[1] == '--execute':
        input_params = sys.stdin.read()
        createIncident = CreateIncident(input_params)
0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...