Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk IT Service Intelligence 3.14: could you help me with custom actions?

Justinboucher0
Path Finder
‎09-07-2018 07:24 AM

Having trouble understanding the IT Service Intelligence (ITSI) custom actions documentation.

All I want to do is send an email from ITSI with the fields $result.subject$ and $result.body$ and the email address pre-filled out. In other words, we just want the analyst to be able to click on the action, and then, it would send the email to the right people with the right event information without them having to input the addresses or tokens. We also wanted to name it something meaningful other than "Send an Email". I wrote a simple Powershell Script to send the email, but I'm having a lot of trouble understanding how to create the custom action for this.

Essentially, I want the Actions box in ITSI to say "Create an Incident" and fire off my script:

createIncident.ps1 $result.subject$ $result.body$

But, I can't figure it out.

Can anyone assist please? We are using ITSI version 3.14. Thanks in advance.

Here is what I have so far, but I don't know where to put it:

import sys, subprocess

class CreateIncident(CustomEventActionBase):
    def __init__(self, settings):
        # initialize CustomEventActionBase
        super(CreateRemedyIncident, self).__init__(settings, self.logger)

    def run_script(self, event_subject, event_body):
        powerShellPath = r'C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe'
        powerShellCmd = "C:\createIncident.ps1"

        p = subprocess.Popen([powerShellPath, '-ExecutionPolicy', 'Unrestricted', powerShellCmd, event_subject, event_body]
                             , stdout=subprocess.PIPE, stderr=subprocess.PIPE)
        output, error = p.communicate()
        rc = p.returncode
        print "Return code given to Python script is: " + str(rc)
        print "\n\nstdout:\n\n" + str(output)
        print "\n\nstderr: " + str(error)

    def execute(self):
        # has all the logic of ping in here...
        event_subject = data.get('subject')
        event_body = data.get('body')

        std_out, std_err = self.run_script(event_subject, event_body)

        # do other stuff here, like add a comment to an ITSI Notable
        # or add a few tags, and so on....
        # change the state of the notable....
        for data in self.get_event():
            event_id = data.get('event_id')

            event = Event(self.get_session_key(), self.logger)
            event.create_comment(event_id, comment)
            event.create_comment(event_id, out)
            event.create_tag(event_id, 'Created Remedy Incident')
        return


if __name__ == '__main__':
    if len(sys.argv) > 1 and sys.argv[1] == '--execute':
        input_params = sys.stdin.read()
        createIncident = CreateIncident(input_params)
        createIncident.execute()
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...