Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to change Custom Adaptive response action success status message?

niteshp
Explorer
‎08-30-2017 08:38 PM

alt text

As highlighted in above image, is it possible to change this success status message to show my own details for the custom adaptive response action which I have created?

Basically my requirement after running the action, I want to give some external clickable URL to user on UI.
If you have any other suggestion that is also welcome.
Also it will be good to know if we can override/update things by using JavaScript here.

Thank you.

Preview file
1 KB
0 Karma
Reply

hazekamp
Builder
‎08-31-2017 11:25 AM

My recommendation would be to use the "drilldown_uri" specification within the Common Action Model to create a custom workflow:

## my_app/default/alert_actions.conf
action.<action>.param._cam = { <stuff> }

## drilldown_uri:     Specifies a custom target for viewing the events
##                    outputted as a result of the action.
##                    Custom target can specify app and/or view depending on syntax.
##                    Optional.
##                    For instance, "my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"

See Splunk_SA_CIM/README/alert_actions.conf.spec for full Common Action Model specification

Reply

niteshp
Explorer
‎09-01-2017 12:11 AM

@hazekamp
Thanks your your response.

I will try using this but will this drilldown URL be visible on UI? if yes then where I can view that?

0 Karma
Reply

hazekamp
Builder
‎09-01-2017 07:47 AM

We use this to construct the hyperlink for the "Response" column in the Adaptive Response table within Incident Review.

0 Karma
Reply

niteshp
Explorer
‎09-01-2017 02:41 AM

@hazekamp

I got it. I think drilldown_uri can help to get what I actually want, but I am not able to generate URI for that, I mean I want to create the URI using hostname and SrcIP from my event details for which I have added variables in URI in alert_actions.conf but those variables are not getting replaced with actual values whereas I am getting expected values in my alert python script.

0 Karma
Reply

kchamplin_splun
Splunk Employee
Splunk Employee
‎09-01-2017 09:39 AM

Also, depending on what you are trying to do, since the sid (search ID) is passed in, it will narrow down the results of that drilldown to the results of the notable event. Furthermore, the rid value should be incrementing for each result "row" (each item returned from your correlation search) - so that you can get the same net effect of drilling down to the details of the notable (which if your notable is operating on src_ip, dest, etc. means you'll get close to the same conclusion).

0 Karma
Reply

hazekamp
Builder
‎09-01-2017 07:53 AM

We don't do full blown token replacement here. We simply replace on $sid$ and $rid$ at this juncture. You are more than welcome to file an enhancement request.

0 Karma
Reply

niteshp
Explorer
‎09-07-2017 07:07 AM

Hi @hazekamp

is it possible to add other parameters from splunk event into drilldown_uri along with $sid$ and $rid$?
For example : src_ip, dest, host etc?

Or can create a new view in splunk ES where I can redirect using drilldown_uri and will it be possible to access these fields?

0 Karma
Reply

kchamplin_splun
Splunk Employee
Splunk Employee
‎09-07-2017 08:04 AM

If memory serves, the tokens are limited to the following:
sid
rid
time
earliest
latest
action_name
That said if you "redirect" to the search bar, or a custom dashboard with something like the below,
"/SplunkEnterpriseSecuritySuite/search?q=search notable | search orig_sid=$sid$&earliest=-24h&latest=now"
That should pull up the notables associated with that sid (which is what incident review is basically doing already, it's just an example), you could of course change that search to go looking for IP addresses or other information - but the short answer is that those fields can't get passed into a new view from incident review - you need to figure out how to surface them manually.

0 Karma
Reply

kchamplin_splun
Splunk Employee
Splunk Employee
‎08-31-2017 12:03 PM

Per @smoir and @hazekamp that particular message is simply an acknowledgment that Splunk was able to dispatch the action, not an indication of the status of the action itself. To determine if the dispatched action was successful, merely examine the "Adaptive Responses" area of the expanded Notable Event:

alt text

Reply

niteshp
Explorer
‎09-01-2017 12:09 AM

@kchamplin
Thanks for your reply.
How can I add last Action column in Adaptive Responses (in the table you have highlighted in your screenshot)?
And can I add my own external clickable URL there?

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎08-31-2017 10:21 AM

@niteshp, this is hardcoded in the javascript modal. I'd be interested to hear more about your use case for this. Are you attempting to set up some sort of "runbook" functionality to follow this custom adaptive response action?

0 Karma
Reply

niteshp
Explorer
‎09-01-2017 12:12 AM

@smoir
Thanks for your response.
Basically my use case is after running my custom adaptive response action, I want to provide an external clickable URL to user so that user can just click on that and jump to that location for further investigation.

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...