I too had this question some time ago and found no really good answer but figured it out. I used the Splunk Add-On Builder to create a new app for Splunk. Then with a very small script made posteifmsg available as an alert option from within Splunk. Very easy to do and effective.
Below is my code if it helps you or anyone else trying to do this.
# encoding = utf-8
import os
import sys
import time
import datetime
import subprocess
def process_event(helper, *args, **kwargs):
"""
# OMNIbus Splunk Integration
# Version 1.0
# Author Larry Roberts
# ENV SIT
# Dependency: posteifmsg
# Location: /lcl/sit/apps/splunk/default/etc/apps/TA-OMNIbus/bin/posteifmsg
#
# IMPORTANT
# Do not remove the anchor macro:start and macro:end lines.
# These lines are used to generate sample code. If they are
# removed, the sample code will not be updated when configurations
# are updated.
[sample_code_macro:start]
# The following example gets the alert action parameters and prints them to the log
gfs_impact = helper.get_param("gfs_impact")
helper.log_info("gfs_impact={}".format(gfs_impact))
gfs_urgency = helper.get_param("gfs_urgency")
helper.log_info("gfs_urgency={}".format(gfs_urgency))
easyvista_category_id = helper.get_param("easyvista_category_id")
helper.log_info("easyvista_category_id={}".format(easyvista_category_id))
event_summary = helper.get_param("event_summary")
helper.log_info("event_summary={}".format(event_summary))
# The following example adds two sample events ("hello", "world")
# and writes them to Splunk
# NOTE: Call helper.writeevents() only once after all events
# have been added
helper.addevent("hello", sourcetype="sample_sourcetype")
helper.addevent("world", sourcetype="sample_sourcetype")
helper.writeevents(index="summary", host="localhost", source="localhost")
# The following example gets the events that trigger the alert
events = helper.get_events()
for event in events:
helper.log_info("event={}".format(event))
# helper.settings is a dict that includes environment configuration
# Example usage: helper.settings["server_uri"]
helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
[sample_code_macro:end]
"""
helper.log_info("omnibus_event: Alert action OMNIbus started.")
# Remove characters that will break the posteifmsg syntax
summary_fix=helper.get_param("event_summary").replace('"', '').replace("'", '')
category_fix=helper.get_param("easyvista_category_id").replace('"', '').replace("'", '')
# Map values to posteifmsg syntax requirements
value1="-f /lcl/sit/apps/splunk/default/etc/apps/TA-OMNIbus/bin/config.ini"
value2="-m "+"'"+summary_fix+"'"
value3="GFS_Impact="+helper.get_param("gfs_impact")
value4="GFS_Urgency="+helper.get_param("gfs_urgency")
value5="GFS_Category="+"'"+category_fix+"'"
value6="Node=Splunk"
value7="Generic"
value8="Splunk"
# Fire the posteifmsg command
os.system("/lcl/sit/apps/splunk/default/etc/apps/TA-OMNIbus/bin/posteifmsg %s %s %s %s %s %s %s %s" % (value1,value2,value3,value4,value5,value6,value7,value8))
# Log the fire event to Splunk
helper.addevent("omnibus_alert:"+summary_fix+" GFS_Impact:"+helper.get_param("gfs_impact")+" GFS_Urgency:"+helper.get_param("gfs_urgency")+" Category:"+category_fix, sourcetype="omnibus_alert")
helper.writeevents(index="main", host="localhost", source="localhost")
return 0
... View more