All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to alert via MQTT output?

rapmancz
Explorer
‎05-05-2017 05:46 PM

Hello, would it be possible to raise MQTT message to broker from Splunk?

The idea would be to set up alert and send the alert texts via MQTT to local server. I can not use any cloud solutions.

0 Karma
Reply

christian_l
Path Finder
‎05-29-2017 02:37 AM

Haven't tried it by my own, but from theory you could trigger a script via a alert-search, which then forwards the event to your MQTT server.
Mosquitto (free MQTT Broker: https://mosquitto.org/) comes with commands allowing you to send messages to your topics.

0 Karma
Reply

rapmancz
Explorer
‎05-29-2017 04:34 PM

What you mean with "alert-search"?

I ended with add on builder app, there I created python script to execute shell command mosquitto_pub.
This solution is not so nice, but I did not find any app to execute shell command with alert result field values.
I am not python programmer so I did not cover all possible states....

0 Karma
Reply

christian_l
Path Finder
‎05-30-2017 05:50 AM

With alert-search I mean a search who is triggering a script as alert action.
This script can then process the search results, like you mentioned above.
The search-results are handed over to the script as parameters when it is triggered.
See also here: https://wiki.splunk.com/Community:Use_Splunk_alerts_with_scripts_to_create_a_ticket_in_your_ticketin...
Hope to help

0 Karma
Reply

rapmancz
Explorer
‎05-30-2017 06:04 AM

It is not possible to use tokens in your proposed solution (like $result.field1 etc.). You must take $8 and unpack the results file and process the results..

0 Karma
Reply

christian_l
Path Finder
‎05-30-2017 06:21 AM

I don't think you can address the search results directly. I'm processing the results file as you just mentioned. I finalize all the searches I'd like to process via the script with the | table command and the list of fields I later want to process within the script.
Here is a example from a bash script:

SPLUNK_DATA=`zcat $8 | tail -1 | sed 's/\"//g'`


MY_FIELD1=`echo $SPLUNK_DATA | cut -d"," -f1`
MY_FIELD2=`echo $SPLUNK_DATA | cut -d"," -f2`
MY_FIELD3=`echo $SPLUNK_DATA | cut -d"," -f3`
MY_FIELD4=`echo $SPLUNK_DATA | cut -d"," -f4`
MY_FIELD5=`echo $SPLUNK_DATA | cut -d"," -f5`
MY_FIELD6=`echo $SPLUNK_DATA | cut -d"," -f6`
MY_FIELD7=`echo $SPLUNK_DATA | cut -d"," -f7 | sed 's/\s/\n\t\t\t/g' | sed 's/\$//g'`
0 Karma
Reply

rapmancz
Explorer
‎05-30-2017 04:10 PM

I am using Windows enviroment (already tells something about me 🙂 )

I created custom alert with Add on builder and add this to custom python script

helper.log_info("Alert action runscript started.")
topic = helper.get_param("topic")
message = helper.get_param("message")
cmd= "c:\\Program Files (x86)\\mosquitto\\mosquitto_pub.exe"

subprocess.check_output([cmd, "-r","-t",topic,"-m",message])
# TODO: Implement your alert action logic here
return 0

In my alert seach string, I prepared field called description ($result.description$) and passed it as a parameter to the message variable. Like this, it works and I get MQTT notification on my smartwatch...

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...