Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Custom Alert Action Arguments
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wrote a Python 3.7.3 script to interact with our paging system's web api. It takes three parameters from the alert's html UI: To, From, and Message. Inspecting the Job for the alert, I can see that the correct values are assigned to these parameters, however, we never receive a page. I believe that perhaps I am not reading them into the script correctly using sys.stdin.read() and parsing out the values. Any guidance would be appreciated.
Script: (constants declarations not included)
if __name__ == "__main__":
try:
# Get Arguments
payload = json.loads(sys.stdin.read())
payload = payload['configuration']
_to = payload['to']
_from = payload['from']
_message = payload['message']
# Start a request session
session = requests.Session()
# Get Access Token
auth = '%s:%s' % (CONSUMER_KEY, CONSUMER_SECRET)
encodedCred = str(base64.b64encode(bytes(auth, 'ascii')))[2:-1]
header = {'Content-Type': 'application/x-www-form-urlencoded', 'Authorization': 'Bearer ' + encodedCred}
body = "grant_type=client_credentials"
request = requests.Request('POST', TOKEN_URL, data=body, headers=header)
prepped = request.prepare()
response = session.send(prepped, verify=False)
if response.status_code != 200:
sys.exit(1)
prettyJSON = json.loads(response.text)
token = prettyJSON['access_token']
# Send Page
query_parameters = {'To': _to,
'From': _from,
'Message': _message
}
header = {"Authorization": "Bearer %s" % token, "Accept": "application/json"}
request = requests.Request('POST', PAGE_URL, data=query_parameters, headers=header)
prepped = request.prepare()
response = session.send(prepped, verify=False)
if response.status_code != 200:
sys.exit(1)
except Exception as ex:
sys.exit(1)
alert_actions.conf:
[ui]
is_visible = 1
label = Send a Page
[launcher]
author = sochsenbein
description = Send a page using the web api
version = 1.0
[install]
state = enabled
is_configured = 1
HTML:
<form class="form-horizontal form-complex">
<div class="control-group">
<label class="control-label" for="send_a_page_from">From </label>
<div class="controls">
<textarea name="action.send_a_page.param.from" id="send_a_page_from" placeholder="// your username here"></textarea>
</div>
</div>
<div class="control-group">
<label class="control-label" for="send_a_page_to">To </label>
<div class="controls">
<textarea name="action.send_a_page.param.to" id="send_a_page_to" placeholder="// comma separate usernames"></textarea>
</div>
</div>
<div class="control-group">
<label class="control-label" for="send_a_page_message">Message </label>
<div class="controls">
<textarea name="action.send_a_page.param.message" id="send_a_page_message" placeholder="// remember to keep the message short..."></textarea>
</div>
</div>
</form>
Documentation/References:
https://docs.splunk.com/Documentation/Splunk/7.2.6/AdvancedDev/CustomAlertConvertScripted
https://docs.splunk.com/Documentation/Splunk/7.2.6/AdvancedDev/ModAlertsCreate
https://answers.splunk.com/answers/442603/how-do-i-get-the-8-standard-alert-action-script-pa-1.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found that Splunk has its own symlink that points to Python 2.7, so after changing the code to work with Python 2.7, the scripts works fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found that Splunk has its own symlink that points to Python 2.7, so after changing the code to work with Python 2.7, the scripts works fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I just worked on a script that takes arguments. Here are the bits you need I believe:
payload = json.loads(sys.stdin.read())
config = payload['configuration']
_to = config.get('to')
_from = config.get('from')
_message = config.get('message')
Make sure you're importing the right Splunk libraries as well (not sure you need all these)
import sys, os
import splunk
import json
from urllib import urlencode
import urllib2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jnudell_2 the script works when ran from the command line. The imports I use are sys, requests, json, and base64 (Python 3.7.3). I compared that to another script we have that does work and it's only using sys, json, and urllib2. I am using those functions you listed, as well, minus the "get", I believe that's just Python 2. In 3 you can do var[key]. Do you know if Splunk logs errors for failed scripts? I looked through splunkd_stderr.log and splunkd_stdout.log but nothing referencing the script.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
