Advanced options for working with custom alert actions
Learn how to use additional features of custom alert actions.
Invoke a custom alert action from a search
You can invoke an alert action by name using the
sendalert command as part of a search.
For testing purposes, you might want to invoke an alert action directly from search. You can pipe your search to
sendalert and pass in parameters.
Here is the
sendalert <action-name> [options]
<action-name>refers to an alert action in either
[options]allows you to pass in key-value arguments starting with
param.argument is merged with the corresponding token from
For more information about using this command, see
sendalert in the Search Reference.
Pass search result values to alert action tokens
You can pass search result values to different alert action tokens when you use
There are several available custom alert action tokens.
|$result.<fieldname>$||Any field value from the first row of the search results|
|$job.<property>$||Any search job property|
|$server.<property>$||Properties returned by the server info endpoint|
|$app$||Name of the app containing the search|
|$cron_schedule$||Cron schedule for the alert|
|$name$||Name of the search or alert|
|$next_scheduled_time$||The next time the scheduled search runs|
|$owner$||Owner of the search|
|$results_link$||Link to the search results|
|$search$||Actual search string|
|$trigger_date$||Date when alert was triggered|
|$trigger_timeHMS$||Formatted time when the alert was triggered|
|$trigger_time$||Trigger time in unix epoch|
|$alert.severity$||Alert severity level|
|$alert.expires$||Alert expiration time|
Custom alert action tokens work similarly to tokens for email notifications. To learn more, see Use tokens in email notifications.
As an example, you might want to search for login failure events. You can pass the search results and some informational text to the
param.message key. Then, you can use the
$result.<field_name>$ token to hold the corresponding field's value from your search results.
Here is what your query would look like.
index=_internal component=UiAuth action=login status=failure | sendalert chat param.room="Security Team Room" param.message="Login failed for user: $result.user$"
In this case,
user is the result field name.
After receiving search results showing an admin role, the value passed to the alert script might look like this.
param.message = "Login failed for user: admin"
Access alert action script logs
Developers can access logs of the alert action script via the Alert Actions manager page. Any information that your script prints to
STDERR will be treated as a log message. Message prefixes, such as
ERROR, will be treated as the log level.
To review logs for an alert action, select Settings>Alert actions. This takes you to the Alert Actions manager page. Select View log events for your alert action.
Custom alert action logging is similar to modular input logging. For more information, see Set up logging.
HipChat example for custom alert actions
KV Store integration for custom alert actions
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 7.0.0, 7.0.1