I'm new to writing apps for Splunk, so I'm trying something simple. A raw payload dump. I have the alert set to log the event and fire off my custom action when CPU usage >20%, and only once every 15 minutes. So i have a reliable trigger source. However, it never seems to launch my action and I can't for the life of me figure out why. I'm trying to get the code to write a line to one file when it launches, write debug to another, and write both json and raw to separate files so I can decide on parsing later. Any thoughts on what I'm doing wrong here?? I'm not even getting the line in the file to let me know it tried to run.
alert_actions.conf:
[NCPAServiceAlert] is_custom = 1 label = NCPA Service Alert description = Test Alert for NCPA Listener Service icon_path = awesomesauce.PNG payload_format = json python.version = python3
NCPAServiceAlert.py:
import json import sys import logging import time import datetime
ts = time.time() sttime = datetime.datetime.fromtimestamp(ts).strftime('%Y%m%d_%H:%M:%S - ')
didirun = "C:/Users/Public/debug/Did_I_Run.txt" with open(didirun, "w+") as d: d.write(sttime + " I ran. Can't say much about the rest though." + \n)
logging.basicConfig(filename='C:/Users/Public/debug/debug.txt', filemode='w' encoding='utf-8', level=logging.DEBUG)
class NCPAServiceAlert: def __init__(self): logging.debug() self.params = [ #"configuration" #"text" ]
def send_alert logging.debug() filejson = "C:/Users/Public/debug/alertdump.txt" with open(filejson, "w+") as f: payload = json.loads(sys.stdin.read()) f.write(payload) fileraw = "C:/Users/Public/debug/generic_dump.txt" with open(fileraw, "w+") as g: payload = sys.stdin.read() g.write(payload) if __name__ == "__main__": logging.debug() if len(sys.argv) < 2 or sys.argv[1] != "--execute": sys.stderr.write(FATAL EXCEPTION (expected --execute flag)\n) sys.exit(1) if not send_alert() sys.exit(2) except Exception as e: sys.stderr.write(ERROR - Unexpected error %s\n % e) sys.exit(3)
... View more