Splunk® Enterprise

Developing Views and Apps for Splunk Web

Download manual as PDF

Download topic as PDF

Optional custom alert action components

These items are optional, but you can add them to an app for additional functionality.

Spec files

Create an alert_actions.conf.spec and/or a savedsearches.conf.spec file to describe new custom parameters in the alert_actions.conf or savedsearches.conf configuration files. Spec files are used for documentation and configuration file validation. Place spec files in a README directory within the app package.

For information on writing a spec file, see Writing valid spec files. You can also see Structure of a spec file. These topics address spec files for Modular Inputs, but are generally applicable for custom alert action apps.

App setup

You can add a setup.xml file to populate global configuration settings such as server addresses or credentials. setup.xml opens a view when a user first invokes the app. In this view, the user can configure global settings.

Here is an example set-up file.

$SPLUNK_HOME$/etc/apps/[Add-on]/default/setup.xml

<setup>
    <block title="Chat Alerts">
        <text>Send Chat Room Notifications</text>
    </block>
    <block title="Server">
        <input endpoint="admin/alert_actions" entity="chat" field="action.chat.param.base_url">
            <label>Server Base URL</label>
            <type>text</type>
        </input>
        <input endpoint="storage/passwords" entity=":chat_api_token:" field="password">
            <label>API Token</label>
            <type>text</type>
        </input>
    </block>
    <block title="Other Settings" endpoint="admin/alert_actions" entity="chat">
        <input field="action.chat.param.notify">
            <label>Notify</label>
            <type>bool</type>
        </input>
        <input field="action.chat.param.color">
            <label>Color</label>
            <type>text</type>
        </input>
    </block>
</setup>

For more information, see Configure a setup screen. and setup.xml.

Metadata files

Use default.meta to define permissions and scope for alert actions. Typically you want to export the alert action globally. Here is an example configuration.

$SPLUNK_HOME$/etc/apps/[custom_alert]/metadata/default.meta

[]
# Allow all users to read this app's contents.
# Allow only admin users to share objects into this app.
access = read : [ * ], write : [ admin ]

[alert_actions/logger]
# export actions globally
export = system

[alerts]
export = system

For more information, see the default.meta.conf reference in the Admin manual.

Validation rules

Place validation rules for new parameters in restmap.conf.
These rules validate any new parameters and send error messages if validation rules are not met. Dynamic or external validation is not currently supported.

Here is an example of validation rules in restmap.conf.

[validation: savedsearches]
action.webhook.param.url = validate( match('action.webhook.param.url', "^https?://[^\s]+$"), "Webhook URL is invalid")

For more information, see the savedsearches.conf and restmap.conf references in the Admin manual.

Confidential information storage

To store confidential information such as passwords, API keys, or other credentials, you can use the app password storage endpoint, storage/passwords. This allows you to populate password storage entry via setup. Passwords are stored in encrypted form. You can use the session_key in the alert script to call back to splunkd and fetch cleartext information when the alert action is triggered.

For more information, see the storage/passwords endpoint documentation in the REST API Reference Manual.

  • Note: Confidential information storage only works for setup-time configuration and does not work for instance settings created via the alert dialog in Splunk Web search user interface.

Alert action icon file

You can include an icon file to represent the alert action separately from the app in Splunk Web. For example, users see the alert action icon in the dropdown menu for configuring an alert action. Place this icon file in the <app_name>/appserver/static static assets directory along with the app icon file. Ensure that the alert stanza in alert_actions.conf includes an icon_path parameter that matches the icon file name. The best practice is to use a 48 x 48 px PNG file. The icon displays at 24 x 24 pixels.

The custom alert action icon is not the same as the app icon that appears on Splunkbase. To use the Splunkbase app icon for the custom alert action icon in Splunk Web, specify appIcon.png as the icon_path value.

It is recommended to name this icon file after the alert action. For example, you can use my_alert_action_icon.png.

PREVIOUS
Define a custom alert action user interface
  NEXT
Convert a script alert action to a custom alert action

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters