I have installed Splunk Add-On Builder and I am now attempting to figure out how to create a new alert option. I want to provide an option to forward an alert to IBM Tivoli OMNIbus. I created 3 required drop-downs and I am now at the "Code & Test" area. I have been trying to find example code of how to take the information from the alert and to execute a command line binary to create the Tivoli OMNIBus event. We use something called posteifmsg which is nothing more than a simple binary which requires a few parameters to be passed with it. For example.....
./posteifmsg -m "This is a test" Impact="1" Urgency = "2" OnCallGroup ="MyTeam"
How can I execute such a command line from the code within Add-On builder? Examples?
Also, with Add-On Builder does it matter where the posteifmsg binary is located as long as its on the Splunk server?
Below is the generated logic that was produced from the Add-On Builder which shows the 3 new parameters I had created.
# encoding = utf-8
def process_event(helper, *args, **kwargs):
"""
# IMPORTANT
# Do not remove the anchor macro:start and macro:end lines.
# These lines are used to generate sample code. If they are
# removed, the sample code will not be updated when configurations
# are updated.
[sample_code_macro:start]
# The following example gets the alert action parameters and prints them to the log
gfs_impact = helper.get_param("gfs_impact")
helper.log_info("gfs_impact={}".format(gfs_impact))
gfs_urgency = helper.get_param("gfs_urgency")
helper.log_info("gfs_urgency={}".format(gfs_urgency))
easyvista_category_id = helper.get_param("easyvista_category_id")
helper.log_info("easyvista_category_id={}".format(easyvista_category_id))
# The following example adds two sample events ("hello", "world")
# and writes them to Splunk
# NOTE: Call helper.writeevents() only once after all events
# have been added
helper.addevent("hello", sourcetype="sample_sourcetype")
helper.addevent("world", sourcetype="sample_sourcetype")
helper.writeevents(index="summary", host="localhost", source="localhost")
# The following example gets the events that trigger the alert
events = helper.get_events()
for event in events:
helper.log_info("event={}".format(event))
# helper.settings is a dict that includes environment configuration
# Example usage: helper.settings["server_uri"]
helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
[sample_code_macro:end]
"""
helper.log_info("Alert action OMNIbus started.")
# TODO: Implement your alert action logic here
return 0
Thank you for any assistance! Trying to find sample code on this but so far no luck.
Figured it out. Hopefully, this will help others...
# encoding = utf-8
import os
import sys
import time
import datetime
import subprocess
def process_event(helper, *args, **kwargs):
"""
# IMPORTANT
# Do not remove the anchor macro:start and macro:end lines.
# These lines are used to generate sample code. If they are
# removed, the sample code will not be updated when configurations
# are updated.
[sample_code_macro:start]
# The following example gets the alert action parameters and prints them to the log
gfs_impact = helper.get_param("gfs_impact")
helper.log_info("gfs_impact={}".format(gfs_impact))
gfs_urgency = helper.get_param("gfs_urgency")
helper.log_info("gfs_urgency={}".format(gfs_urgency))
easyvista_category_id = helper.get_param("easyvista_category_id")
helper.log_info("easyvista_category_id={}".format(easyvista_category_id))
# The following example adds two sample events ("hello", "world")
# and writes them to Splunk
# NOTE: Call helper.writeevents() only once after all events
# have been added
helper.addevent("hello", sourcetype="sample_sourcetype")
helper.addevent("world", sourcetype="sample_sourcetype")
helper.writeevents(index="summary", host="localhost", source="localhost")
# The following example gets the events that trigger the alert
events = helper.get_events()
for event in events:
helper.log_info("event={}".format(event))
# helper.settings is a dict that includes environment configuration
# Example usage: helper.settings["server_uri"]
helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
[sample_code_macro:end]
"""
helper.log_info("Alert action OMNIbus started.")
# TODO: Implement your alert action logic here
value1="-f /lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/config.ini"
value2="-m "+"'"+"SPLUNK EVENT VALUE SHOULD BE HERE"+"'"
value3="GFS_Impact="+helper.get_param("gfs_impact")
value4="GFS_Urgency="+helper.get_param("gfs_urgency")
value5="ISOC_Instructions="+"'"+helper.get_param("easyvista_category_id")+"'"
value6="Generic"
value7="Generic"
os.system("/lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/posteifmsg %s %s %s %s %s %s %s" % (value1,value2,value3,value4,value5,value6,value7))
return 0
Figured it out. Hopefully, this will help others...
# encoding = utf-8
import os
import sys
import time
import datetime
import subprocess
def process_event(helper, *args, **kwargs):
"""
# IMPORTANT
# Do not remove the anchor macro:start and macro:end lines.
# These lines are used to generate sample code. If they are
# removed, the sample code will not be updated when configurations
# are updated.
[sample_code_macro:start]
# The following example gets the alert action parameters and prints them to the log
gfs_impact = helper.get_param("gfs_impact")
helper.log_info("gfs_impact={}".format(gfs_impact))
gfs_urgency = helper.get_param("gfs_urgency")
helper.log_info("gfs_urgency={}".format(gfs_urgency))
easyvista_category_id = helper.get_param("easyvista_category_id")
helper.log_info("easyvista_category_id={}".format(easyvista_category_id))
# The following example adds two sample events ("hello", "world")
# and writes them to Splunk
# NOTE: Call helper.writeevents() only once after all events
# have been added
helper.addevent("hello", sourcetype="sample_sourcetype")
helper.addevent("world", sourcetype="sample_sourcetype")
helper.writeevents(index="summary", host="localhost", source="localhost")
# The following example gets the events that trigger the alert
events = helper.get_events()
for event in events:
helper.log_info("event={}".format(event))
# helper.settings is a dict that includes environment configuration
# Example usage: helper.settings["server_uri"]
helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
[sample_code_macro:end]
"""
helper.log_info("Alert action OMNIbus started.")
# TODO: Implement your alert action logic here
value1="-f /lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/config.ini"
value2="-m "+"'"+"SPLUNK EVENT VALUE SHOULD BE HERE"+"'"
value3="GFS_Impact="+helper.get_param("gfs_impact")
value4="GFS_Urgency="+helper.get_param("gfs_urgency")
value5="ISOC_Instructions="+"'"+helper.get_param("easyvista_category_id")+"'"
value6="Generic"
value7="Generic"
os.system("/lcl/sit/apps/splunk/splunk6.4.0/etc/apps/TA-OMNIbus/bin/posteifmsg %s %s %s %s %s %s %s" % (value1,value2,value3,value4,value5,value6,value7))
return 0
Thanks Larry - this was a huge help - quick question. I'm getting an error trying to call my binary - did you need to specify the posteifmsg binary command in alert_actions.conf?