Splunk® Enterprise

Developing Views and Apps for Splunk Web

Download manual as PDF

Download topic as PDF

KV Store integration for custom alert actions

Integrate custom alert actions with the KV Store

Integrate custom alert actions with the KV Store to track state and implement complex workflows. Here are some example use cases for KV Store integration.

  • Alert queue for review and approval. To defer immediate alert actions, use the KV Store as a queue for alert action requests. Send alert action parameters, metadata, or an invocation string to the KV Store. Admin or other authorized users can review and approve queued alert action requests.
  • Alert action throttling. Use the KV Store to track and retrieve state, such as most recent alert actions or an alert action count. An alert action script with custom throttling logic can use state information to suppress or run alert actions.
  • Logic to create and update service tickets. Use a custom alert action script to create or update service tickets when an alert triggers. The script can log alerts and ticket information in the KV Store. When a new alert triggers, the script can check the KV Store for ticket history on similar alerts. If a ticket already exists for an alert with similar properties, then the script can update the ticket. If no ticket exists, the script can file a new one.

Example code

Here is a code selection from a KV Store custom alert action script. The example app updates one field in a KV Store record.

import sys
import json
import urllib
import urllib2

def request(method, url, data, headers):
    """Helper function to fetch JSON data from the given URL"""
    req = urllib2.Request(url, data, headers)
    req.get_method = lambda: method
    res = urllib2.urlopen(req)
    return json.loads(res.read())

payload = json.loads(sys.stdin.read())

config = payload.get('configuration', dict())
collection = config.get('collection')
record_name = config.get('name')
field = config.get('field')
value = config.get('value')

# Build the URL for the Splunkd REST endpoint
url_tmpl = '%(server_uri)s/servicesNS/%(owner)s/%(app)s/storage/collections/data/%(collection)s/%(name)s?output_mode=json'
record_url = url_tmpl % dict(
    app=urllib.quote(config.get('app') if 'app' in config else payload.get('app')),
print >>sys.stderr, 'DEBUG Built kvstore record url=%s' % record_url
headers = {
    'Authorization': 'Splunk %s' % payload.get('session_key'),
    'Content-Type': 'application/json'}

# Fetch the record from the kvstore collection
    record = request('GET', record_url, None, headers)
    print >>sys.stderr, "DEBUG Retrieved record:", json.dumps(record)
except urllib2.HTTPError, e:
    print >>sys.stderr, 'ERROR Failed to fetch record at url=%s. Server response: %s' % (
        record_url, json.dumps(json.loads(e.read())))

# Update the record with the user supplied field value
data = {field: value}

print >>sys.stderr, 'INFO Updating kvstore record=%s in collection=%s with data=%s' % (
    record_name, collection, json.dumps(data))

# Send the updated record to the server
    response = request('POST', record_url, json.dumps(record), headers)
    print >>sys.stderr, 'DEBUG server response:', json.dumps(response)
except urllib2.HTTPError, e:
    print >>sys.stderr, 'ERROR Failed to update record:', json.dumps(json.loads(e.read()))
Advanced options for working with custom alert actions
Modular inputs overview

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters