Splunk IT Service Intelligence

Splunk IT Service Intelligence 3.14: could you help me with custom actions?

Path Finder

Having trouble understanding the IT Service Intelligence (ITSI) custom actions documentation.

All I want to do is send an email from ITSI with the fields $result.subject$ and $result.body$ and the email address pre-filled out. In other words, we just want the analyst to be able to click on the action, and then, it would send the email to the right people with the right event information without them having to input the addresses or tokens. We also wanted to name it something meaningful other than "Send an Email". I wrote a simple Powershell Script to send the email, but I'm having a lot of trouble understanding how to create the custom action for this.

Essentially, I want the Actions box in ITSI to say "Create an Incident" and fire off my script:

createIncident.ps1 $result.subject$ $result.body$

But, I can't figure it out.

Can anyone assist please? We are using ITSI version 3.14. Thanks in advance.

Here is what I have so far, but I don't know where to put it:

import sys, subprocess

class CreateIncident(CustomEventActionBase):
    def __init__(self, settings):
        # initialize CustomEventActionBase
        super(CreateRemedyIncident, self).__init__(settings, self.logger)

    def run_script(self, event_subject, event_body):
        powerShellPath = r'C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe'
        powerShellCmd = "C:\createIncident.ps1"

        p = subprocess.Popen([powerShellPath, '-ExecutionPolicy', 'Unrestricted', powerShellCmd, event_subject, event_body]
                             , stdout=subprocess.PIPE, stderr=subprocess.PIPE)
        output, error = p.communicate()
        rc = p.returncode
        print "Return code given to Python script is: " + str(rc)
        print "\n\nstdout:\n\n" + str(output)
        print "\n\nstderr: " + str(error)

    def execute(self):
        # has all the logic of ping in here...
        event_subject = data.get('subject')
        event_body = data.get('body')

        std_out, std_err = self.run_script(event_subject, event_body)

        # do other stuff here, like add a comment to an ITSI Notable
        # or add a few tags, and so on....
        # change the state of the notable....
        for data in self.get_event():
            event_id = data.get('event_id')

            event = Event(self.get_session_key(), self.logger)
            event.create_comment(event_id, comment)
            event.create_comment(event_id, out)
            event.create_tag(event_id, 'Created Remedy Incident')

if __name__ == '__main__':
    if len(sys.argv) > 1 and sys.argv[1] == '--execute':
        input_params = sys.stdin.read()
        createIncident = CreateIncident(input_params)
0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...