Create custom alert actions for Splunk Cloud Platform or Splunk Enterprise
When a scheduled search triggers an alert, the Splunk platform runs the alert action, or response, assigned to the alert. The Splunk platform contains preconfigured alert actions, including email notifications and webhooks. If your use case requires an alert response that is not natively supported by Splunk software, you can create a custom alert action. Custom alert actions are user-defined alert actions that allow you to extend the Splunk platform with specialized alerting functionality. You can implement a custom alert action in a script and package the solution in a Splunk app.
As a best practice, use Python to write the script for a custom alert action. For a complete list of supported script formats, see Write the script for a custom alert action for Splunk Cloud Platform or Splunk Enterprise.
For example, say you want to respond to an alert with a customized log message. You can create a custom alert action to write this message to a specified log file when the alert is triggered by a saved search in Splunk Cloud Platform or Splunk Enterprise.
Here are some use cases for custom alert actions:
- You want to use your company's instant messaging system to send a customized notification to users following a change in data.
- You want to automate a response after a Splunk platform search detects a particular event.
How custom alert actions work
When a scheduled search triggers an alert with a custom alert action, Splunk software runs the Python script defined in the custom alert action's configuration. This Python script uses stdin to take in a payload formed from the scheduled search and alert action settings and then completes the functionality specified in the script.
The following diagram shows how a custom alert action works. Details about each step in the workflow follow the diagram.
- A scheduled search runs in the Splunk platform.
- The results from the scheduled search trigger an alert.
- Splunk software identifies the alert and locates the corresponding alert action in your app's alert_actions.conf file.
- Splunk software runs the Python script for the custom alert action specified in your app's alert_actions.conf file. This Python script takes in information from the saved search and alert action configurations.
- The Python script completes the custom alerting functionality.
Prerequisites for creating a custom alert action
Splunk Enterprise version 6.3 or higher.
As a best practice, use an installation of Splunk Enterprise in a single-instance development environment. For more information about supported computing environments, see System requirements for use of Splunk Enterprise on-premises in the Splunk Enterprise Installation Manual.
An app for your custom alert action.
Develop your custom alert action in a custom app in Splunk Enterprise. For more information, see Create a Splunk app and set properties.
The supported version of Python, depending on your Splunk Enterprise installation.
- If you are using Splunk Enterprise version 8.0 or higher, use Python 3.7.
- If you are using Splunk Enterprise versions 7.x or lower, use Python version 2.7.
For more information, see Python 3 migration with the Splunk platform in the Splunk Enterprise Python 3 Migration Manual.
- If you are using Splunk Enterprise version 8.0 or higher, use Python 3.7.
Workflow for creating a custom alert action
Follow this workflow to create a custom alert action:
- Configure app settings for the custom alert action. See Configure app settings for a custom alert action for Splunk Cloud Platform or Splunk Enterprise.
- Write the custom alert action script. See Write the script for a custom alert action for Splunk Cloud Platform or Splunk Enterprise.
- Create the custom alert action configuration UI. See Create the configuration UI for a custom alert action for Splunk Cloud Platform or Splunk Enterprise.
Deployment considerations for custom alert actions
In a distributed deployment, custom alert actions run in the search tier. For more information about where to deploy an app's files and knowledge objects, see How deployment architecture affects a Splunk app in Splunk Cloud Platform or Splunk Enterprise.
Custom alert action examples
The splunk-app-examples repository on GitHub contains the following example app to help you get started creating a custom alert action.
| Example | Description |
|---|---|
| Slack notification alert | Sends a customized message to a Slack channel based on a triggered alert action in the Splunk platform. |
Download this example app at splunk-app-examples/custom_alert_actions/slack_alerts/ on GitHub.
See also
- Getting started with alerts in the Splunk Enterprise Alerting Manual