I have a working custom alert action that's basically a clone of the webhook action. It works when I set it on one alert specifically, but not if I try to set it via the default stanza in savedsearches.conf. Btool says the config is correct, but the action is not getting run.
$ head -4 savedsearches.conf
[default]
action.send_to_elastic = 1
action.send_to_elastic.param.url = http://targetbox:8080/alert/splunk
$ /opt/splunk/bin/splunk btool --debug savedsearches list 'test web' | grep local | more
/splunk_bundle/etc/apps/search/local/savedsearches.conf [test webhook alert]
/splunk_bundle/etc/apps/search/local/savedsearches.conf action.email.useNSSubject = 1
/splunk_bundle/etc/apps/search/local/savedsearches.conf action.send_to_elastic = 1
/splunk_bundle/etc/apps/search/local/savedsearches.conf action.send_to_elastic.param.url = http://targetbox:8080/alert/splunk
...
Should that work?
↧