Alert Action Scripts
The following files would be created/ updated in the output folder once you executed the ucc-gen
command:
File Location | Content Description | Action |
---|---|---|
output/<YOUR_ADD-ON_NAME>/bin/<NAME_OF_THE_ALERT>.py | The logic that will be executed when the alert action would be executed. | Created |
output/<YOUR_ADD-ON_NAME>/default/alert_actions.conf | Helps Splunk determine the parameters supported by the alert action when using sendalert Splunk command. |
A stanza with the name as <NAME_OF_THE_ALERT> is created in this conf file. |
output/<YOUR_ADD-ON_NAME>/default/data/ui/alerts/<NAME_OF_THE_ALERT>.html | HTML page of the Alert Action that will be rendered in the UI. | Created |
In the python file that is created, below are the methods that you can use or override for varying use cases:
process_event()
- This is the start point of where you require to write the logic of sending data from Splunk to any other
service via its APIs. Additionally, you can validate the parameters that are provided in the alert action
as client side validation (via JavaScript) isn’t allowed in Splunk’s alert action’s HTML page for
security reasons.
Note: This method must be overwritten.
- This is the start point of where you require to write the logic of sending data from Splunk to any other
service via its APIs. Additionally, you can validate the parameters that are provided in the alert action
as client side validation (via JavaScript) isn’t allowed in Splunk’s alert action’s HTML page for
security reasons.
get_events()
-> List[dict]- Used to get the events that triggered the alert. It returns a list of dictionary. A dictionary points to an event that triggered the alert, and each dictionary has the fields extracted by Splunk.
addevent(raw: str, sourcetype: str)
- If you are bringing additional information from an outer service, you can write that information using this method. You write a single record using the method. This method will append all the records and will dump it to Splunk when
writeevents()
method is called.
- If you are bringing additional information from an outer service, you can write that information using this method. You write a single record using the method. This method will append all the records and will dump it to Splunk when
writeevents(index: str, host: str, source: str)
- All the events added to the queue using
addevent()
method are written to Splunk with the details passed in the arguments.
- All the events added to the queue using
An example of a script with validations:
import import_declare_test
import sys
from splunktaucclib.alert_actions_base import ModularAlertBase
from splunk_ta_uccexample import modalert_test_alert_helper
class AlertActionWorkertest_alert(ModularAlertBase):
def __init__(self, ta_name, alert_name):
super(AlertActionWorkertest_alert, self).__init__(ta_name, alert_name)
def validate_params(self):
if not self.get_param("name"):
self.log_error('name is a mandatory parameter, but its value is None.')
return False
if not self.get_param("action"):
self.log_error('action is a mandatory parameter, but its value is None.')
return False
if not self.get_param("account"):
self.log_error('account is a mandatory parameter, but its value is None.')
return False
return True
def process_event(self, *args, **kwargs):
status = 0
try:
if not self.validate_params():
return 3
status = modalert_test_alert_helper.process_event(self, *args, **kwargs)
except (AttributeError, TypeError) as ae:
self.log_error("Error: {}. Please double check spelling and also verify that a "
"compatible version of Splunk_SA_CIM is installed.".format(str(ae)))
return 4
except Exception as e:
msg = "Unexpected error: {}."
if str(e):
self.log_error(msg.format(str(e)))
else:
import traceback
self.log_error(msg.format(traceback.format_exc()))
return 5
return status
if __name__ == "__main__":
exitcode = AlertActionWorkertest_alert("Splunk_TA_UCCExample", "test_alert").run(sys.argv)
sys.exit(exitcode)
In this example, modalert_test_alert_helper
’s process_event()
method contains the logic of the actions to be
performed when the alert is triggered. It could either be fetch additional information from a service
into Splunk or to send any data from Splunk to a service via its APIs.
Custom Script for Alert Action¶
Alternatively, you can provide the process_event()
and validate_params()
in the script you mentioned in
the customScript
parameter in the globalConfig. If the parameter isn’t provided in the globalConfig, UCC framework would provide a boiler plate code that you can leverage in writing your logic for alert action.
This script should be present at <YOUR_ADD-ON_REPOSITORY_PACKAGE>/bin/
in your respository and it should
have process_event()
function defined. An example declaration could be:
def my_custom_validation(helper):
# custom validation logic for the params that are passed
return 0 # for successful custom validations
def process_event(helper, *args, **kwargs):
if not my_custom_validation(helper):
return 3
helper.log_info("Alert action test_alert started.")
# TODO: Implement your alert action logic here
# if clean execution, return 0,
# else non-zero number
return 0
This function then can have validations and the alert action logic required for your add-on. The preliminary check for required field validations is already provided by the UCC framework. However, if you have any other validations or pre-checks, you can call that function from process_event()
.
The helper
variable would be an object of splunktaucclib.alert_actions_base.ModularAlertBase
class.
This script would be then be copied to output/
directory after you execute the ucc-gen
command.