Splunk® Enterprise

Developing Views and Apps for Splunk Web

Download manual as PDF

Download topic as PDF

Advanced options for working with custom alert actions

Learn how to use additional features of custom alert actions.

Invoke a custom alert action from a search

You can invoke an alert action by name using the sendalert command as part of a search. For testing purposes, you might want to invoke an alert action directly from search. You can pipe your search to sendalert and pass in parameters.

Here is the sendalert syntax.

sendalert <action-name> [options]

  • <action-name> refers to an alert action in either alert_actions.conf or savedsearches.conf.
  • [options] allows you to pass in key-value arguments starting with param. Each param. argument is merged with the corresponding token from alert_actions.conf.

For more information about using this command, see sendalert in the Search Reference.

Pass search result values to alert action tokens

You can pass search result values to different alert action tokens when you use sendalert.

There are several available custom alert action tokens.

Token Description
$result.<fieldname>$ Any field value from the first row of the search results
$job.<property>$ Any search job property
$server.<property>$ Properties returned by the server info endpoint
$app$ Name of the app containing the search
$cron_schedule$ Cron schedule for the alert
$description$ Search description
$name$ Name of the search or alert
$next_scheduled_time$ The next time the scheduled search runs
$owner$ Owner of the search
$results_link$ Link to the search results
$search$ Actual search string
$trigger_date$ Date when alert was triggered
$trigger_timeHMS$ Formatted time when the alert was triggered
$trigger_time$ Trigger time in unix epoch
$alert.severity$ Alert severity level
$alert.expires$ Alert expiration time

Custom alert action tokens work similarly to tokens for email notifications. To learn more, see Use tokens in email notifications.

Example

As an example, you might want to search for login failure events. You can pass the search results and some informational text to the param.message key. Then, you can use the $result.<field_name>$ token to hold the corresponding field's value from your search results.

Here is what your query would look like.

index=_internal component=UiAuth action=login status=failure | sendalert chat param.room="Security Team Room" param.message=Login failed for user: $result.user$"

In this case, user is the result field name.

After receiving search results showing an admin role, the value passed to the alert script might look like this.

param.message = "Login failed for user: admin"


Access alert action script logs

Developers can access logs of the alert action script via the Alert Actions manager page. Any information that your script prints to STDERR will be treated as a log message. Message prefixes, such as DEBUG, INFO, WARN, or ERROR, will be treated as the log level.

To review logs for an alert action, select Settings>Alert actions. This takes you to the Alert Actions manager page. Select View log events for your alert action.

Custom alert action logging is similar to modular input logging. For more information, see Set up logging.

PREVIOUS
HipChat example for custom alert actions
  NEXT
KV Store integration for custom alert actions

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters