Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I get some additional alert details into my custom alert?

paimonsoror
Builder
‎01-31-2017 11:08 AM

Hi Folks;

I was wondering how to add some of the details that a user has put in for defining an Alert into the payload that gets sent to my custom alert. For example:

alt text

Here is a sample alert that I am using. I have a custom app on my search head, and within the local folder there is an alert_actions.conf defined like so:

[spectrum_alert]
disabled=0
payload_format=json
is_custom=1
icon_path=alerticon.png
label=Enterprise Alert
description=Dispatch Alerts to Command Center For Escalation

within my app, there is a bin directory with a python script called 'spectrum_alert.py'. It looks like when the alert is triggered, two things are passed in, one being the '--execute' command, and second is the json payload that is passed in. There are however a few things missing that I would like to have, like the 'description', and the 'event count' for example. How would one add that?

I know that with the out of the box command you can add things like $counttype$ $relation$ $quantity$, but is that still possible here with a custom alert? If so, could someone guide me? Thanks!

Preview file
1 KB
0 Karma
Reply

pgreer_splunk
Splunk Employee
Splunk Employee
‎02-02-2017 10:51 AM

I'm not fully understanding your question - however, what can be done is to simply pass such data within your search results (which is passed into the python script within the JSON payload). Thus anything that can be calculated and captured within a field in your search can be parsed out of the JSON payload and used within your python script.

For instance, for a customer e-mail notification alert as an example, you can have the search populate some fields named 'replyTo', 'recipient', 'subject', 'numberOfEvents' - then within the python script parse the JSON payload for the those specific fields and perform actions upon them.

0 Karma
Reply

paimonsoror
Builder
‎02-02-2017 05:33 PM

Thanks for the response.

What I am ideally trying to do is this:

  1. User creates an alert
  2. User decides "i want this alert to the enterprise command center"
  3. User uses my custom alert action called 'spectrum_alert'
  4. Our best practice is to have the user pick a meaninful title for the alert, and description

The JSON payload is great, and it includes the title but it doesn't include the alert description. Ideally I would like to also send in the alert type

Those two additional things from #4 are what I am looking to add to my payload

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...