Dashboards & Visualizations

Why can't I use tokens ($result.host$) in my custom alert

micheldejong
Explorer

The custom alert is build with the "Splunk Add-On Builder". The alert is calling a custom command which is sending a message to the central event management. I want to use the $result.host$ token in order to create alerts for every host in the result.

savedsearches.conf

[send2cemtest]
action.send2cem = 1
action.send2cem.param.client = testclient
action.send2cem.param.msg = testmsg
action.send2cem.param.sender = $result.host$
action.send2cem.param.workid = testworkid
alert.digest_mode = 0
alert.expires = 24m
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = */1 * * * *
enableSched = 1
quantity = 0
relation = greater than
search = index=_internal | head 2

alert_actions.conf

[send2cem]
description = Splunk CEM koppeling
label = CEM koppeling
payload_format = json
is_custom = 1
icon_path = alert_send2cem.png
param.workid =
param.sender =
param.client =
param.msg =
param.severity = warning

command = send2cem $action.send2cem.param.severity$ $action.send2cem.param.client$ $action.send2cem.param.sender$ $action.send2cem.param.workid$ $action.send2cem.param.msg$

html

<form class="form-horizontal form-complex">
<div class="control-group">
        <label class="control-label">Severity</label>
                <div class="controls">
                                <label class="radio" for="send2cem_severity_warning">
                                        <input type="radio" name="action.send2cem.param.severity" id="send2cem_severity_warning" value="warning"/>
                                        Warning
                                </label>
                                <label class="radio" for="send2cem_severity_critical">
                                        <input type="radio" name="action.send2cem.param.severity" id="send2cem_severity_critical" value="critical!"/>
                                        Critical
                                </label>
                </div>
</div>
<div class="control-group">
        <label class="control-label" for="send2cem_client">Client <span class="required">*</span> </label>
    <div class="controls">
        <input type="text" pattern="[a-zA-Z0-9]{3,15}" placeholder="3-15 karakters" name="action.send2cem.param.client" id="send2cem_client"/>
                <span class="help-block">
                    Alfanumeriek
                </span>
    </div>
</div>
<div class="control-group">
        <label class="control-label" for="send2cem_sender">Sender/host <span class="required">*</span> </label>
    <div class="controls">
        <input type="text" pattern=".{5,25}" placeholder="5-25 karakters" name="action.send2cem.param.sender" id="send2cem_sender"/>
    </div>
</div>
<div class="control-group">
        <label class="control-label" for="send2cem_workid">Work Instruction ID <span class="required">*</span> </label>
    <div class="controls">
        <input type="text" pattern="[a-zA-Z0-9]{3,15}" placeholder="3-25 karakters" name="action.send2cem.param.workid" id="send2cem_workid"/>
                <span class="help-block">
                    Alfanumeriek
                </span>
    </div>
</div>
<div class="control-group">
        <label class="control-label" for="send2cem_msg">Message <span class="required">*</span> </label>
    <div class="controls">
        <textarea rows="8" pattern=".{3,100}" placeholder="3-100 karakters" name="action.send2cem.param.msg" id="send2cem_msg"/>
        </textarea>
    </div>
</div>
</form>

Does anyone has some suggestions, I tried several things which found on answers but nothing worked and I'm pretty stuck at the moment.

dmarling
Builder

I believe you need to have the host field called out in your search. The search you have under send2cemtest is just this:

index=_internal | head 2

I believe you need to make it so host is a field that is visible in the results. Can you try this search instead?

index=_internal | head 2 | stats count by host

See if that will return results for you.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...