All Apps and Add-ons

How to monitor the HTTP Alert Action?

mihenn
Path Finder

Hi,

I am trying to send data from Splunk to a Lotus Notes bases Incident Management. This system can recieve events as SOAP messages. So I built the required XML structure within the search as an eval command and trigger the HTTP Alert Action. There I put in all necessary headers and the XML as data.

Now I have this problem, that no messages reach their destination. How can I troubleshoot this? I transmitted the XML manually with curl. That works. So the XML format is correct and the server is reachable over the network.

Sometimes I get an error code 4 in Splunk Internal index. What is error 4?

Thank you.

0 Karma

brendanmacooper
Explorer

@mihenn Can you confirm whether adding the ingestion_safety fixed the issue?

0 Karma

mihenn
Path Finder

Sure,

here is my current configuration I removed the URL, accescode and search.


action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.param.verbose = 0
action.send_custom_rest_request = 1
action.send_custom_rest_request.param.custom_headers = Authorization='XXX'&SOAPAction=CREATEINCIDENT
action.send_custom_rest_request.param.endpoint = http://XXX?OpenWebService
action.send_custom_rest_request.param.payload = data={body}
action.send_custom_rest_request.param.qs_params =
action.threat_add.param.verbose = 0
alert.digest_mode = 0
alert.suppress = 0
alert.track = 1
cron_schedule = * * * * *
description = Test der Verbindung
dispatch.earliest_time = rt
dispatch.latest_time = rt
display.events.fields = ["host","source","sourcetype","name","F001","id"]
display.events.maxLines = 0
display.page.search.mode = fast
display.visualizations.charting.chart = pie
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = XXX

0 Karma

brendanmacooper
Explorer

Can you try setting the ingestion_safety variable. There's a known issue with version 1.1 which has been fixed in the yet to be released version 1.2

action.send_custom_rest_request.param.ingestion_safety_max_size = 0
0 Karma

mihenn
Path Finder

I wrote my own TA with the Addon-Bulider and I got the same error when trying to send the request. After that I did some research I found out, that it is a problem related to string formatting in Python. You have to use the same method all over the script. I mixed up two different types.

But I will test your TA with this settings and report the result here.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...