0

I am working on an addon to collect event results based on an alert and send it to an API endpoint. Once the response is a success the endpoint returns a success message in a JSON format and I Want to store it in a custom index and sourcetype.

I tried using the below code but the data is written to the Main index instead of my custom index. Is there a way to write the event into a custom index for an alert action build via the Splunk Add-on builder?

helper.addevent("hello", sourcetype="customsource")
helper.addevent("world", sourcetype="customsource")
helper.writeevents(index="mycustomindex", host="localhost", source="localhost")
warren
  • 32,620
  • 21
  • 85
  • 124
Naresh Kumar
  • 185
  • 3
  • 12
  • what language are you using? Is the HEC set up properly? Do any *other* submissions work as expected? Do you have proper permissions on the index? – warren Sep 30 '20 at 21:02
  • I used Splunk Addon builder to create my addon and I use Python to perform the API connection. I used the default script when we create alert action via Splunk addon builder. The document on splunk website stats use the mentioned script to write the event but it is writing it under Main index even though I have given my custom index. – Naresh Kumar Oct 01 '20 at 01:16
  • You sure you have the index name correct? – warren Oct 01 '20 at 14:18
  • @warren yes the index name is correct. – Naresh Kumar Oct 01 '20 at 14:24
  • Had a session with Splunk to check whether it is possible or not. They confirmed that it is not possible to write the event back to a custom index since the current code writes the data as stash which will not be considered under license. So I have created HEC based API call to store the data to achieve my requirement. – Naresh Kumar Oct 05 '20 at 13:02

1 Answers1

0

Had a session with Splunk to check whether it is possible or not. They confirmed that it is not possible to write the event back to a custom index since the current code writes the data to the Main index as stash which will not be considered under license. So I have created HEC based API call to store the data to achieve my requirement.

Naresh Kumar
  • 185
  • 3
  • 12