I'm trying to create a custom alert application. All I want to do right now is to see what kind of parameters I can pull and utilize. So I'm just doing a simple print into a file. I created an app called say, test. And the script is called showconfiguration. This is my first time making a custom app.
Here's what the directory structure looks like under /opt/splunk/etc/apps/test:
test/
├── appserver
│ └── static
│ └── icon.png
├── bin
│ └── showconfiguration.py
├── default
│ ├── alert_actions.conf
│ ├── app.conf
│ └── data
│ └── ui
│ └── alerts
│ └── showconfiguration.html
├── metadata
│ ├── default.meta
│ └── local.meta
└── README
└── alert_actions.conf.spec
Here's alert_actions.conf contents:
> [showconfiguration]>is_custom = 1>label = Testing Splunk alerting capability>description = Testing>icon_path = icon.png>payload_format = json>param.trigger_reason = Saved Search [test] number of events ($job.resultCount$)>param.result_count = $job.resultCount$>param.one = two
Contents of app.conf:
> [ui]>is_visible = 0>label = Alert Tests>>[launcher]>author = Me>description = Testing splunk alert capability>version = 0.1>>[install]>state = enabled>is_configured = 1
And everything is owned by splunk:splunk and I think has the correct permissions.
So I create an alert and set it to run this custom alert. It never runs and I see this error in the splunkd.log:
> 08-29-2018 15:10:40.746 -0400 ERROR sendmodalert - Error in 'sendalert' command: Alert action "showconfiguration" not found.
I don't know what I did wrong here. How do I get sendalert to recognize the showconfiguration script??
↧
