Splunk® Enterprise

Developing Views and Apps for Splunk Web

Acrobat logo Download manual as PDF

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

KV Store integration for custom alert actions

Integrate custom alert actions with the KV Store

Integrate custom alert actions with the KV Store to track state and implement complex workflows. Here are some example use cases for KV Store integration.

  • Alert queue for review and approval. To defer immediate alert actions, use the KV Store as a queue for alert action requests. Send alert action parameters, metadata, or an invocation string to the KV Store. Admin or other authorized users can review and approve queued alert action requests.
  • Alert action throttling. Use the KV Store to track and retrieve state, such as most recent alert actions or an alert action count. An alert action script with custom throttling logic can use state information to suppress or run alert actions.
  • Logic to create and update service tickets. Use a custom alert action script to create or update service tickets when an alert triggers. The script can log alerts and ticket information in the KV Store. When a new alert triggers, the script can check the KV Store for ticket history on similar alerts. If a ticket already exists for an alert with similar properties, then the script can update the ticket. If no ticket exists, the script can file a new one.

Example code

Here is a code selection from a KV Store custom alert action script. The example app updates one field in a KV Store record. This script has been made cross-compatible with Python 2 and Python 3 using python-future.

from __future__ import print_function
from future import standard_library

import sys
import json
import urllib.request, urllib.parse, urllib.error
import urllib.request, urllib.error, urllib.parse

def request(method, url, data, headers):
    """Helper function to fetch JSON data from the given URL"""
    req = urllib.request.Request(url, data, headers)
    req.get_method = lambda: method
    res = urllib.request.urlopen(req)
    return json.loads(res.read())

payload = json.loads(sys.stdin.read())

config = payload.get('configuration', dict())
collection = config.get('collection')
record_name = config.get('name')
field = config.get('field')
value = config.get('value')

# Build the URL for the Splunkd REST endpoint
url_tmpl = '%(server_uri)s/servicesNS/%(owner)s/%(app)s/storage/collections/data/%(collection)s/%(name)s?output_mode=json'
record_url = url_tmpl % dict(
    app=urllib.parse.quote(config.get('app') if 'app' in config else payload.get('app')),
print('DEBUG Built kvstore record url=%s' % record_url, file=sys.stderr)
headers = {
    'Authorization': 'Splunk %s' % payload.get('session_key'),
    'Content-Type': 'application/json'}

# Fetch the record from the kvstore collection
    record = request('GET', record_url, None, headers)
    print("DEBUG Retrieved record:", json.dumps(record), file=sys.stderr)
except urllib.error.HTTPError as e:
    print('ERROR Failed to fetch record at url=%s. Server response: %s' % (
        record_url, json.dumps(json.loads(e.read()))), file=sys.stderr)

# Update the record with the user supplied field value
data = {field: value}

print('INFO Updating kvstore record=%s in collection=%s with data=%s' % (
    record_name, collection, json.dumps(data)), file=sys.stderr)

# Send the updated record to the server
    response = request('POST', record_url, json.dumps(record), headers)
    print('DEBUG server response:', json.dumps(response), file=sys.stderr)
except urllib.error.HTTPError as e:
    print('ERROR Failed to update record:', json.dumps(json.loads(e.read())), file=sys.stderr)
Last modified on 13 August, 2019
Advanced options for working with custom alert actions
Modular inputs overview

This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.8, 8.0.0, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 9.0.0, 9.0.1, 9.0.2, 7.3.7, 7.3.9, 8.0.1, 8.0.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters