Use the Notable Event Actions SDK
The Notable Events Action SDK comes packaged with ITSI and is located in $SPLUNK_HOME/etc/apps/SA-ITOA/lib/itsi/event_management/sdk. The SDK is implemented in Python and includes:
- Methods for custom actions on ITSI episodes:
class CustomGroupActionBasein custom_group_action_base.py - Methods for working on an ITSI episode post-custom action:
class EventGroupin grouping.py - Methods for finding metadata for ITSI notable events:
class EventMetain eventing.py - Methods for finding metadata for ITSI episodes:
class GroupMetain grouping.py
Custom actions require a class that derives from CustomGroupActionBase and implements the execute() method. The __init__() method of your class needs to initialize the base class CustomGroupActionBase.
For more information, see the Notable events action SDK reference.
The following is a summary of the custom action Ping Host that ships with ITSI:
class Ping(CustomGroupActionBase):
def __init__(self, settings):
# initialize CustomGroupActionBase
super(Ping, self).__init__(settings, self.logger)
def get_host_to_ping(self):
# from input settings, fetch host to ping
# some logic is abstracted in custom_event_action_base.py
...
return host
def ping(self, host):
#does the act of pinging the host
...
def execute(self):
# has all the logic of ping in here...
host = self.get_host_to_ping()
std_out, std_err = self.ping(host)
# do other stuff here, like add a comment to an ITSI episode
# or add a few tags, and so on....
# change the state of the episode....
for data in self.get_group():
group_id = data.get('itsi_group_id')
group = EventGroup(self.get_session_key(), self.logger)
group.create_comment(itsi_group_id, comment)
group.create_comment(itsi_group_id, out)
group.create_tag(itsi_group_id, 'ping')
return
if __name__=='__main__':
if len(sys.argv) > 1 and sys.argv[1] == '--execute':
input_params = sys.stdin.read()
ping = Ping(input_params)
ping.execute()