Alerting

Execute binary and pass parameters with Splunk alerting actions

larryleeroberts
Path Finder

I am very new to Splunk and just attended Splunk University and Splunk conf.2016 but left there with questions remaining that I am hoping I can get answered here.

My first question is with alerting.
We use Netcool OMNIbus as our event manager and would like to start sending alerts from Splunk to OMNIbus. While there are many options for alerting such as email and executing a script, I do not see an option for executing a binary and perhaps passing some parameters with it. One of the common ways we get events into OMNIbus is via posteifmsg which is a simple binary that you pass some parameters with.

For example, I could execute the following from another app, script, command line, ect.:
posteifmsg -f /lcl/apps/esm/posteifmsg_OMNIbus/config.ini -m "The server $host is down." GFS_Impact=5 GFS_Urgency=4 OnCallGroup=ProductionServices Generic Generic

I would like to be able to do the same thing from Splunk. It seems you would be able to call on a binary like posteifmsg and pass defined parameters from Splunk to this binary. Is this just not possible?

Thank you all for your time!!!

0 Karma
1 Solution

msivill_splunk
Splunk Employee
Splunk Employee

Building a custom alert action might be whats needed http://docs.splunk.com/Documentation/Splunk/6.5.0/AdvancedDev/ModAlertsIntro if you can do what you need to do from python then worth considering

A quick bit of googling around I found "nco_postmsg: A simple data insert tool for Netcool/OMNIbus ObjectServer" which looks like it can be called from python.

View solution in original post

msivill_splunk
Splunk Employee
Splunk Employee

Building a custom alert action might be whats needed http://docs.splunk.com/Documentation/Splunk/6.5.0/AdvancedDev/ModAlertsIntro if you can do what you need to do from python then worth considering

A quick bit of googling around I found "nco_postmsg: A simple data insert tool for Netcool/OMNIbus ObjectServer" which looks like it can be called from python.

larryleeroberts
Path Finder

I have installed the Add-On Builder and started with that. Do you know where I could find sample code on doing such things as executing a binary like nco_postmsg and passing information to it? Thanks!

0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

So I would try and break this down into 2 parts.

1) Initially focus on calling the binary from python directly (no Splunk). I found http://stackoverflow.com/questions/2473655/how-to-make-a-call-to-an-executable-from-python-script with a quick bit of googling.

2) Then follow http://docs.splunk.com/Documentation/Splunk/6.5.0/AdvancedDev/ModAlertsIntro to work out how to incorporate the python (from step 1) you have written into the Modular Alerts framework.

0 Karma

larryleeroberts
Path Finder

Ok, so there is no way to execute a binary directly them from the Add-On Builder in Splunk? Just want to make sure I am understanding correctly. I would need to create a Python script that is called by the Add-On Builder and then that script would execute the binary?

Thank you!!!!

0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

Given your scenario I think wrapping in python is the way to go.

0 Karma

larryleeroberts
Path Finder

Well, I made progress in the Splunk Add-On Builder. I am now able to execute my binary and pass the parameters that I have setup. The only thing I can't seem to figure out now is how to pass the event that set off the alert in the first place. See towards the bottom where it says "SPLUNK EVENT VALUE SHOULD BE HERE". I want to capture there what triggered the alert but I am unsure of how to call that information there.

Thank you for the assistance!!!!!

# encoding = utf-8

import os
import sys
import time
import datetime
import subprocess

def process_event(helper, *args, **kwargs):
    """
    # IMPORTANT
    # Do not remove the anchor macro:start and macro:end lines.
    # These lines are used to generate sample code. If they are
    # removed, the sample code will not be updated when configurations
    # are updated.

    [sample_code_macro:start]

    # The following example gets the alert action parameters and prints them to the log
    gfs_impact = helper.get_param("gfs_impact")
    helper.log_info("gfs_impact={}".format(gfs_impact))

    gfs_urgency = helper.get_param("gfs_urgency")
    helper.log_info("gfs_urgency={}".format(gfs_urgency))

    easyvista_category_id = helper.get_param("easyvista_category_id")
    helper.log_info("easyvista_category_id={}".format(easyvista_category_id))


    # The following example adds two sample events ("hello", "world")
    # and writes them to Splunk
    # NOTE: Call helper.writeevents() only once after all events
    # have been added
    helper.addevent("hello", sourcetype="sample_sourcetype")
    helper.addevent("world", sourcetype="sample_sourcetype")
    helper.writeevents(index="summary", host="localhost", source="localhost")

    # The following example gets the events that trigger the alert
    events = helper.get_events()
    for event in events:
        helper.log_info("event={}".format(event))

    # helper.settings is a dict that includes environment configuration
    # Example usage: helper.settings["server_uri"]
    helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
    [sample_code_macro:end]
    """

    helper.log_info("Alert action OMNIbus started.")

    # TODO: Implement your alert action logic here
    value1="-f /lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/config.ini"
    value2="-m "+"'"+"SPLUNK EVENT VALUE SHOULD BE HERE"+"'"
    value3="GFS_Impact="+helper.get_param("gfs_impact")
    value4="GFS_Urgency="+helper.get_param("gfs_urgency")
    value5="ISOC_Instructions="+"'"+helper.get_param("easyvista_category_id")+"'"
    value6="Generic"
    value7="Generic"
    os.system("/lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/posteifmsg %s %s %s %s %s %s %s" % (value1,value2,value3,value4,value5,value6,value7))
    return 0
0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

The following bit of the code (from your code) looks like it gets the event data that you might be interested in.

# The following example gets the events that trigger the alert
     events = helper.get_events()
     for event in events:
         helper.log_info("event={}".format(event))

Hope this ends up on splunkbase.splunk.com 🐵

0 Karma

larryleeroberts
Path Finder

Thank you. Yes, I had seen that in the commented area. For some reason though I can not seem to figure out how to pull that value in to here:

value2="-m "+"'"+"SPLUNK EVENT VALUE SHOULD BE HERE"+"'"

I thought it would be something like....

value2="-m "+"'"+$event+"'"

But that gives me an error. Any ideas? Thanks!

0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

So it looks like a python thing....

I suspect your are trying to print an "array of objects" rather than a string itself. Try converting array into a string. Not sure on exact syntax of the top of my head.

0 Karma

larryleeroberts
Path Finder

Thanks for all the help!

0 Karma

rapmancz
Explorer

so what is the result? I like Splunk very much, it can suprise me everyday how easily I can analyse the data. One thing I do not understand is the alert custom script setup. For e-mails, result tokens can be used, exactly the same is needed for custom script. I belive almost everybody would be happy to have an option to use custom script with data from the first row like myscript.bat $result.field1 $result.field1 . What is the easiest way to achieve that?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...