Optional custom alert action components
These items are optional, but you can add them to an app for additional functionality.
alert_actions.conf.spec and/or a
savedsearches.conf.spec file to describe new custom parameters in the
savedsearches.conf configuration files. Spec files are used for documentation and configuration file validation. Place spec files in a
README directory within the app package.
For information on writing a spec file, see Writing valid spec files. You can also see Structure of a spec file. These topics address spec files for Modular Inputs, but are generally applicable for custom alert action apps.
You can add a setup page to populate global configuration settings such as server addresses or credentials. A setup page is a page in your app that displays the first time your users launch the app. The setup page provides an interface in Splunk Web that allows your users to configure app settings.
For more information, see Enable first-run configuration with setup pages in Splunk Cloud Platform or Splunk Enterprise on the Splunk Developer Portal.
default.meta to define permissions and scope for alert actions. Typically you want to export the alert action globally. Here is an example configuration.
 # Allow all users to read this app's contents. # Allow only admin users to share objects into this app. access = read : [ * ], write : [ admin ] [alert_actions/logger] # export actions globally export = system [alerts] export = system
For more information, see the
default.meta.conf reference in the Admin manual.
Place validation rules for new parameters in
These rules validate any new parameters and send error messages if validation rules are not met. Dynamic or external validation is not currently supported.
Here is an example of validation rules in
[validation:savedsearch] action.webhook.param.url = validate( match('action.webhook.param.url', "^https?://[^\s]+$"), "Webhook URL is invalid")
Confidential information storage
To store confidential information such as passwords, API keys, or other credentials, you can use the app password storage endpoint,
storage/passwords. This allows you to populate password storage entry via setup. Passwords are stored in encrypted form. You can use the
session_key in the alert script to call back to
splunkd and fetch cleartext information when the alert action is triggered.
For more information, see the storage/passwords endpoint documentation in the REST API Reference Manual.
- Note: Confidential information storage only works for setup-time configuration and does not work for instance settings created via the alert dialog in Splunk Web search user interface.
Alert action icon file
You can include an icon file to represent the alert action separately from the app in Splunk Web. For example, users see the alert action icon in the dropdown menu for configuring an alert action. Place this icon file in the
<app_name>/appserver/static static assets directory along with the app icon file. Ensure that the alert stanza in
alert_actions.conf includes an
icon_path parameter that matches the icon file name.
The best practice is to use a 48 x 48 px PNG file. The icon displays at 24 x 24 pixels.
The custom alert action icon is not the same as the app icon that appears on Splunkbase. To use the Splunkbase app icon for the custom alert action icon in Splunk Web, specify
appIcon.png as the
It is recommended to name this icon file after the alert action. For example, you can use
Define a custom alert action user interface
Convert a script alert action to a custom alert action
This documentation applies to the following versions of Splunk Cloud Platform™: 8.1.2103, 8.2.2105, 8.2.2106, 8.2.2109, 8.2.2107, 8.2.2111, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203 (latest FedRAMP release), 9.0.2205, 9.0.2208