Splunk® Enterprise

Developing Views and Apps for Splunk Web

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Logger example for custom alert actions

The logger example implements a custom alert action that does the following:

  • Creates a path to a log file when the alert first fires.
  • Writes log messages to the log file when the alert fires.
  • Writes log information to an existing Splunk Enterprise log file.

Python file for logger example

logger.py implements custom alert actions. This script has been made cross-compatible with Python 2 and Python 3 using python-future.

$SPLUNK_HOME$/etc/apps/logger_app/bin/logger.py 

from __future__ import print_function
from builtins import str
import sys, os, datetime

def log(msg):
    f = open(os.path.join(os.environ["SPLUNK_HOME"], "var", "log", "splunk", "test_modalert.log"), "a")
    print(str(datetime.datetime.now().isoformat()), msg, file=f)
    f.close()

log("got arguments %s" % sys.argv)
log("got payload: %s" % sys.stdin.read())

print("INFO Hello STDERR", file=sys.stderr)

logger.py creates or updates a log file in the following location.

$SPLUNK_HOME$/var/log/splunk/test_modalert.log

The following is a sample of output generated by logger.py when an alert is triggered. 

2015-03-07T01:41:42.430696 got arguments ['/opt/splunk/etc/apps/logger_app/bin/logger.py', '--execute']
2015-03-07T01:41:42.430718 got payload: <?xml version="1.0" encoding="UTF-8"?>
<alert>
  <app> logger_app </app>
  <owner>admin</owner>
  <results_file>/opt/splunk/var/run/splunk/dispatch/rt_scheduler__admin__ logger_app__RMD5910195c23186c103_at_1425692383_0.0/results.csv.gz</results_file>
  <results_link>http://myserver:8000/app/logger_app/@go?sid=rt_scheduler__admin__ logger_app__RMD5910195c23186c103_at_1425692383_0.0</results_link>
  <server_host>myserver</server_host>
  <server_uri>https://127.0.0.1:8089</server_uri>
  <session_key>OCmOZHf37O^9fDktTrvNc6Kidz^68zs0Y7scufwRo6Lpdi5ZGmtxsPbIUlUKtjt9ZPG7gKz4Dq8_eVntQ5EGR^N9rqkmg1dREAp8FFCduDwwvl6pEXEB^4w3MS6suwp9acw7JOlb</session_key>
  <sid>rt_scheduler__admin__ logger_app__RMD5910195c23186c103_at_1425692383_0.0</sid>
  <search_name>my_saved_search</search_name>
  <configuration>
    <stanza name=" my_saved_search"/>
  </configuration>
</alert>

Configuration files for the logger example

The logger example for custom alert actions contains the following configuration files.


File Description
alert_actions.conf Define the properties of the custom alert action.
app.conf Package and UI information about the add-on.

Required to display information about logger alert actions on the Alert Actions Manager page.

alert_actions.conf

Defines the properties of the custom alert action.

Place the properties in a stanza with the base name of the script that implements the alert actions.

$SPLUNK_HOME$/etc/apps/logger_app/default/alert_actions.conf 

[logger]
is_custom = 1

#By default, custom alert actions are enabled
#disabled = 1

# The label, description, and icon appear in the alert 
# actions dialog when a user configures an alert action
label = Log alert action
description = Custom action for logging fired alerts
icon_path = logger_logo.jpg

app.conf

Defines properties that appear in the Alert Actions Manager page. 

[ui]
is_visible = 1
label = Mod Alert Tests

[launcher]
author = Splunk
description = Quick examples for testing mod alerts
version = 1.0

[install]
state = enabled
is_configured = 1

HTML file for the custom alert action form

The HTML file defines the form elements for the custom alert action in the Splunk Enterprise UI. Best practice is to use markup consistent with the markup provided by Bootstrap. Bootstrap is a free collection of tools that contains HTML and CSS-based design templates.

The base name of the HTML file is the same as the base name of script that implements the alert action.

$SPLUNK_HOME$/etc/apps/logger_app/default/data/ui/alerts/logger.html 

<form class="form-horizontal form-complex">
    <p>Write log entries for this action.</p>
</form>

Access the logger alert action from Splunk Web

From the home page, select the gear icon next to Apps and browse for the logger custom alert action.

Last modified on 13 August, 2019
PREVIOUS
Convert a script alert action to a custom alert action 		  NEXT
HipChat example for custom alert actions

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.4, 7.0.10, 7.0.11, 7.0.13, 6.3.1, 7.0.3, 7.0.6, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 7.0.5, 7.0.7, 7.0.8

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters