Alerting

Trouble with Custom Alert Action

Rickntulsa
Engager

I have created a custom alert action loosely based on the Webhooks example. I have created all the configuration files based on my best understanding of the process outlined in the docs. The action will send notifications to an event management tool to integrate with our blackout and group management tools. I am getting a handful of errors when splunk is restarted as reported by the log file.

The alert action set up requires a number of inputs. The first error I am seeing is causing setup to error out. The log is showing this error:
04-20-2018 13:11:24.491 -0400 ERROR SetupAdminHandler - Error while fetching url=/servicesNS/nobody/alert_customintegration/admin/alert_actions/_new/?_strict=true;search=%20eai%3Aacl.app%3D%22%22%20OR%20eai%3Aacl.app%3D%22alert_customintegration%22

I logged onto the web service using a browser and noticed that I don't see alert_customintegration under that location. So I suspect I have missed some fundamental step or configuration to make this work properly. If I am understanding this correctly, it may not have created the web service endpoint. Hopefully someone has some inkling as to what might be causing this error and can pass it along.

My setup.xml file looks like this:

<setup>
    <block title="Custom Integration Alerts">
        <text>Configure Custom Integration Notifications</text>
    </block>
    <block title="Destination Setup" endpoint="admin/alert_actions" entity="_new">
        <input field="action.customintegration.param.hostname">
            <label>Host Name</label>
            <type>text</type>
        </input>
        <input field="action.customintegration.param.location">
            <label>Location</label>
            <type>text</type>
        </input>
        <input field="action.customintegration.param.realm">
            <label>Realm</label>
            <type>text</type>
        </input>
    </block>
    <block title="Configure Access Credential" endpoint="storage/passwords" entity="_new">
        <input field="username">
            <label>Username</label>
            <type>text</type>
        </input>
        <input field="password">
            <label>Password</label>
            <type>password</type>
        </input>
    </block>
</setup>

Thanks in advance

0 Karma
1 Solution

Rickntulsa
Engager

I identified the issue. I changed the entity from "_new" to "customintegration". I updated the app.conf to set is_configured = 0. This seems to have fixed all of the issues.

the only bone I have to pick now is that the titles for the fields specified in the app/default/data/ui/alerts/customintegration.html have to be very short, otherwise they wrap.

View solution in original post

0 Karma

Rickntulsa
Engager

I identified the issue. I changed the entity from "_new" to "customintegration". I updated the app.conf to set is_configured = 0. This seems to have fixed all of the issues.

the only bone I have to pick now is that the titles for the fields specified in the app/default/data/ui/alerts/customintegration.html have to be very short, otherwise they wrap.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...