Splunk® Enterprise

Developing Views and Apps for Splunk Web

Download manual as PDF

Download topic as PDF

Logger example for custom alert actions

The logger example implements a custom alert action that does the following:

  • Creates a path to a log file when the alert first fires.
  • Writes log messages to the log file when the alert fires.
  • Writes log information to an existing Splunk Enterprise log file.

Python file for logger example

logger.py implements custom alert actions.

$SPLUNK_HOME$/etc/apps/logger_app/bin/logger.py

import sys, os, datetime

def log(msg):
    f = open(os.path.join(os.environ["SPLUNK_HOME"], "var", "log", "splunk", "test_modalert.log"), "a")
    print >> f, str(datetime.datetime.now().isoformat()), msg
    f.close()

log("got arguments %s" % sys.argv)
log("got payload: %s" % sys.stdin.read())

print >>sys.stderr, "INFO Hello STDERR"

logger.py creates or updates a log file in the following location.

$SPLUNK_HOME$/var/log/splunk/test_modalert.log

The following is a sample of output generated by logger.py when an alert is triggered.

2015-03-07T01:41:42.430696 got arguments ['/opt/splunk/etc/apps/logger_app/bin/logger.py', '--execute']
2015-03-07T01:41:42.430718 got payload: <?xml version="1.0" encoding="UTF-8"?>
<alert>
  <app> logger_app </app>
  <owner>admin</owner>
  <results_file>/opt/splunk/var/run/splunk/dispatch/rt_scheduler__admin__ logger_app__RMD5910195c23186c103_at_1425692383_0.0/results.csv.gz</results_file>
  <results_link>http://myserver:8000/app/logger_app/@go?sid=rt_scheduler__admin__ logger_app__RMD5910195c23186c103_at_1425692383_0.0</results_link>
  <server_host>myserver</server_host>
  <server_uri>https://127.0.0.1:8089</server_uri>
  <session_key>OCmOZHf37O^9fDktTrvNc6Kidz^68zs0Y7scufwRo6Lpdi5ZGmtxsPbIUlUKtjt9ZPG7gKz4Dq8_eVntQ5EGR^N9rqkmg1dREAp8FFCduDwwvl6pEXEB^4w3MS6suwp9acw7JOlb</session_key>
  <sid>rt_scheduler__admin__ logger_app__RMD5910195c23186c103_at_1425692383_0.0</sid>
  <search_name>my_saved_search</search_name>
  <configuration>
    <stanza name=“ my_saved_search"/>
  </configuration>
</alert>

Configuration files for the logger example

The logger example for custom alert actions contains the following configuration files.


File Description
alert_actions.conf Define the properties of the custom alert action.
app.conf Package and UI information about the add-on.

Required to display information about logger alert actions on the Alert Actions Manager page.

alert_actions.conf

Defines the properties of the custom alert action.

Place the properties in a stanza with the base name of the script that implements the alert actions.

$SPLUNK_HOME$/etc/apps/logger_app/default/alert_actions.conf

[logger]
is_custom = 1

#By default, custom alert actions are enabled
#disabled = 1

# The label, description, and icon appear in the alert 
# actions dialog when a user configures an alert action
label = Log alert action
description = Custom action for logging fired alerts
icon_path = logger_logo.jpg

app.conf

Defines properties that appear in the Alert Actions Manager page.

[ui]
is_visible = 1
label = Mod Alert Tests

[launcher]
author = Splunk
description = Quick examples for testing mod alerts
version = 1.0

[install]
state = enabled
is_configured = 1

HTML file for the custom alert action form

The HTML file defines the form elements for the custom alert action in the Splunk Enterprise UI. Best practice is to use markup consistent with the markup provided by Bootstrap. Bootstrap is a free collection of tools that contains HTML and CSS-based design templates.

The base name of the HTML file is the same as the base name of script that implements the alert action.

$SPLUNK_HOME$/etc/apps/logger_app/default/data/ui/alerts/logger.html

<form class="form-horizontal form-complex">
    <p>Write log entries for this action.</p>
</form>

Access the logger alert action from Splunk Web

From the home page, select the gear icon next to Apps and browse for the logger custom alert action.

PREVIOUS
Convert a script alert action to a custom alert action
  NEXT
HipChat example for custom alert actions

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Comments

Thank you for your comment. We can consider a shell script example for future updates.

In the meantime, you might want to check out this topic for another example script that fetches a payload:
http://docs.splunk.com/Documentation/Splunk/6.5.2/AdvancedDev/ModAlertsAdvancedExample

For more advice or shell script examples you could also post a question on our Answers community forum, or check for previous posts there too: https://answers.splunk.com/

Another option would be to reach out on our Slack user group chat forums: https://splunk-usergroups.slack.com

Hope this helps!

Frobinson splunk, Splunker
March 1, 2017

Can we have shell script example to fetch payload value ?

Harsmarvania57
February 28, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters