Alerting

How can I get some additional alert details into my custom alert?

paimonsoror
Builder

Hi Folks;

I was wondering how to add some of the details that a user has put in for defining an Alert into the payload that gets sent to my custom alert. For example:

alt text

Here is a sample alert that I am using. I have a custom app on my search head, and within the local folder there is an alert_actions.conf defined like so:

[spectrum_alert]
disabled=0
payload_format=json
is_custom=1
icon_path=alerticon.png
label=Enterprise Alert
description=Dispatch Alerts to Command Center For Escalation

within my app, there is a bin directory with a python script called 'spectrum_alert.py'. It looks like when the alert is triggered, two things are passed in, one being the '--execute' command, and second is the json payload that is passed in. There are however a few things missing that I would like to have, like the 'description', and the 'event count' for example. How would one add that?

I know that with the out of the box command you can add things like $counttype$ $relation$ $quantity$, but is that still possible here with a custom alert? If so, could someone guide me? Thanks!

0 Karma

pgreer_splunk
Splunk Employee
Splunk Employee

I'm not fully understanding your question - however, what can be done is to simply pass such data within your search results (which is passed into the python script within the JSON payload). Thus anything that can be calculated and captured within a field in your search can be parsed out of the JSON payload and used within your python script.

For instance, for a customer e-mail notification alert as an example, you can have the search populate some fields named 'replyTo', 'recipient', 'subject', 'numberOfEvents' - then within the python script parse the JSON payload for the those specific fields and perform actions upon them.

0 Karma

paimonsoror
Builder

Thanks for the response.

What I am ideally trying to do is this:

  1. User creates an alert
  2. User decides "i want this alert to the enterprise command center"
  3. User uses my custom alert action called 'spectrum_alert'
  4. Our best practice is to have the user pick a meaninful title for the alert, and description

The JSON payload is great, and it includes the title but it doesn't include the alert description. Ideally I would like to also send in the alert type

Those two additional things from #4 are what I am looking to add to my payload

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...