
Logger example for custom alert actions
The logger example implements a custom alert action that does the following:
- Creates a path to a log file when the alert first fires.
- Writes log messages to the log file when the alert fires.
- Writes log information to an existing Splunk Enterprise log file.
Python file for logger example
logger.py
implements custom alert actions. This script has been made cross-compatible with Python 2 and Python 3 using python-future.
$SPLUNK_HOME$/etc/apps/logger_app/bin/logger.py
from __future__ import print_function from builtins import str import sys, os, datetime def log(msg): f = open(os.path.join(os.environ["SPLUNK_HOME"], "var", "log", "splunk", "test_modalert.log"), "a") print(str(datetime.datetime.now().isoformat()), msg, file=f) f.close() log("got arguments %s" % sys.argv) log("got payload: %s" % sys.stdin.read()) print("INFO Hello STDERR", file=sys.stderr)
logger.py
creates or updates a log file in the following location.
$SPLUNK_HOME$/var/log/splunk/test_modalert.log
The following is a sample of output generated by logger.py
when an alert is triggered.
2015-03-07T01:41:42.430696 got arguments ['/opt/splunk/etc/apps/logger_app/bin/logger.py', '--execute'] 2015-03-07T01:41:42.430718 got payload: <?xml version="1.0" encoding="UTF-8"?> <alert> <app> logger_app </app> <owner>admin</owner> <results_file>/opt/splunk/var/run/splunk/dispatch/rt_scheduler__admin__ logger_app__RMD5910195c23186c103_at_1425692383_0.0/results.csv.gz</results_file> <results_link>http://myserver:8000/app/logger_app/@go?sid=rt_scheduler__admin__ logger_app__RMD5910195c23186c103_at_1425692383_0.0</results_link> <server_host>myserver</server_host> <server_uri>https://127.0.0.1:8089</server_uri> <session_key>OCmOZHf37O^9fDktTrvNc6Kidz^68zs0Y7scufwRo6Lpdi5ZGmtxsPbIUlUKtjt9ZPG7gKz4Dq8_eVntQ5EGR^N9rqkmg1dREAp8FFCduDwwvl6pEXEB^4w3MS6suwp9acw7JOlb</session_key> <sid>rt_scheduler__admin__ logger_app__RMD5910195c23186c103_at_1425692383_0.0</sid> <search_name>my_saved_search</search_name> <configuration> <stanza name=" my_saved_search"/> </configuration> </alert>
Configuration files for the logger example
The logger example for custom alert actions contains the following configuration files.
File | Description |
---|---|
alert_actions.conf
|
Define the properties of the custom alert action. |
app.conf
|
Package and UI information about the add-on.
Required to display information about logger alert actions on the Alert Actions Manager page. |
alert_actions.conf
Defines the properties of the custom alert action.
Place the properties in a stanza with the base name of the script that implements the alert actions.
$SPLUNK_HOME$/etc/apps/logger_app/default/alert_actions.conf
[logger] is_custom = 1 #By default, custom alert actions are enabled #disabled = 1 # The label, description, and icon appear in the alert # actions dialog when a user configures an alert action label = Log alert action description = Custom action for logging fired alerts icon_path = logger_logo.jpg
app.conf
Defines properties that appear in the Alert Actions Manager page.
[ui] is_visible = 1 label = Mod Alert Tests [launcher] author = Splunk description = Quick examples for testing mod alerts version = 1.0 [install] state = enabled is_configured = 1
HTML file for the custom alert action form
The HTML file defines the form elements for the custom alert action in the Splunk Enterprise UI. Best practice is to use markup consistent with the markup provided by Bootstrap. Bootstrap is a free collection of tools that contains HTML and CSS-based design templates.
The base name of the HTML file is the same as the base name of script that implements the alert action.
$SPLUNK_HOME$/etc/apps/logger_app/default/data/ui/alerts/logger.html
<form class="form-horizontal form-complex"> <p>Write log entries for this action.</p> </form>
Access the logger alert action from Splunk Web
From the home page, select the gear icon next to Apps and browse for the logger custom alert action.
PREVIOUS Convert a script alert action to a custom alert action |
NEXT HipChat example for custom alert actions |
This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.8, 7.1.7, 7.0.0, 7.3.7, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 7.3.9, 8.0.0, 8.0.1
Feedback submitted, thanks!