Splunk® Enterprise

Developing Views and Apps for Splunk Web

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Optional custom alert action components

These items are optional, but you can add them to an app for additional functionality.

Spec files

Create an alert_actions.conf.spec and/or a savedsearches.conf.spec file to describe new custom parameters in the alert_actions.conf or savedsearches.conf configuration files. Spec files are used for documentation and configuration file validation. Place spec files in a README directory within the app package.

For information on writing a spec file, see Writing valid spec files. You can also see Structure of a spec file. These topics address spec files for Modular Inputs, but are generally applicable for custom alert action apps.

App setup

You can add a setup page to populate global configuration settings such as server addresses or credentials. A setup page is a page in your app that displays the first time your users launch the app. The setup page provides an interface in Splunk Web that allows your users to configure app settings.

For more information, see Enable first-run configuration with setup pages in Splunk Cloud Platform or Splunk Enterprise on the Splunk Developer Portal.

Metadata files

Use default.meta to define permissions and scope for alert actions. Typically you want to export the alert action globally. Here is an example configuration.


# Allow all users to read this app's contents.
# Allow only admin users to share objects into this app.
access = read : [ * ], write : [ admin ]

# export actions globally
export = system

export = system

For more information, see the default.meta.conf reference in the Admin manual.

Validation rules

Place validation rules for new parameters in restmap.conf.
These rules validate any new parameters and send error messages if validation rules are not met. Dynamic or external validation is not currently supported.

Here is an example of validation rules in restmap.conf.

action.webhook.param.url = validate( match('action.webhook.param.url', "^https?://[^\s]+$"), "Webhook URL is invalid")

For more information, see the savedsearches.conf and restmap.conf references in the Admin manual.

Confidential information storage

To store confidential information such as passwords, API keys, or other credentials, you can use the app password storage endpoint, storage/passwords. This allows you to populate password storage entry via setup. Passwords are stored in encrypted form. You can use the session_key in the alert script to call back to splunkd and fetch cleartext information when the alert action is triggered.

For more information, see the storage/passwords endpoint documentation in the REST API Reference Manual.

  • Note: Confidential information storage only works for setup-time configuration and does not work for instance settings created via the alert dialog in Splunk Web search user interface.

Alert action icon file

You can include an icon file to represent the alert action separately from the app in Splunk Web. For example, users see the alert action icon in the dropdown menu for configuring an alert action. Place this icon file in the <app_name>/appserver/static static assets directory along with the app icon file. Ensure that the alert stanza in alert_actions.conf includes an icon_path parameter that matches the icon file name. The best practice is to use a 48 x 48 px PNG file. The icon displays at 24 x 24 pixels.

The custom alert action icon is not the same as the app icon that appears on Splunkbase. To use the Splunkbase app icon for the custom alert action icon in Splunk Web, specify appIcon.png as the icon_path value.

It is recommended to name this icon file after the alert action. For example, you can use my_alert_action_icon.png.

Last modified on 30 November, 2021
Define a custom alert action user interface
Convert a script alert action to a custom alert action

This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.8, 8.0.0, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 9.0.0, 9.0.1, 9.0.2, 7.3.7, 7.3.9, 8.0.1, 8.0.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters