Hi Folks;
I was wondering how to add some of the details that a user has put in for defining an Alert into the payload that gets sent to my custom alert. For example:
Here is a sample alert that I am using. I have a custom app on my search head, and within the local folder there is an alert_actions.conf defined like so:
[spectrum_alert]
disabled=0
payload_format=json
is_custom=1
icon_path=alerticon.png
label=Enterprise Alert
description=Dispatch Alerts to Command Center For Escalation
within my app, there is a bin directory with a python script called 'spectrum_alert.py'. It looks like when the alert is triggered, two things are passed in, one being the '--execute' command, and second is the json payload that is passed in. There are however a few things missing that I would like to have, like the 'description', and the 'event count' for example. How would one add that?
I know that with the out of the box command you can add things like $counttype$ $relation$ $quantity$, but is that still possible here with a custom alert? If so, could someone guide me? Thanks!
I'm not fully understanding your question - however, what can be done is to simply pass such data within your search results (which is passed into the python script within the JSON payload). Thus anything that can be calculated and captured within a field in your search can be parsed out of the JSON payload and used within your python script.
For instance, for a customer e-mail notification alert as an example, you can have the search populate some fields named 'replyTo', 'recipient', 'subject', 'numberOfEvents' - then within the python script parse the JSON payload for the those specific fields and perform actions upon them.
Thanks for the response.
What I am ideally trying to do is this:
The JSON payload is great, and it includes the title but it doesn't include the alert description. Ideally I would like to also send in the alert type
Those two additional things from #4 are what I am looking to add to my payload