From time to time we get a request to add some field or another to the Splunk integration and I thought it wasn't possible... at least until now. So I'm writing this up in the hope that I remember it is here and I can share with anyone who asks.
So let's get to it.
The Splunk integration to xMatters uses the Splunk Alert Actions framework to build a payload and send it over to xMatters. There are several moving pieces to this integration and it is hard to keep track of them all. So let's say you want to add two new fields, "user" and "message" and both of these fields are payloads in the search result.
First, we'll need to edit the $SPLUNK_HOME/etc/apps/xmatters_alert_actions/default/alert_actions.conf file. Going forward I'm going to reference files relative to the $SPLUNK_HOME/etc/apps/xmatters_alert_actions directory to save your eyeballs. This file maps the variables from Splunk into the variables passed to the xmatters.py file below. Add the fields as they are referenced in Splunk here and map them to a variable available in the python script, so open this file and add these lines to the end:
param.result.user = $result.user$
param.result.newfield = $result.message$
Then, open the README/alert_actions.conf.spec file. This is the spec file Splunk uses to make sure the alert_actions.conf file above is compared to. It apparently gives a type to each variable as well. Add these to the end of the file:
param.result.user = <string>
* Some helpful comment here
param.result.newfield = <string>
* This is actually the $result.message$ field but we're remapping it to newfield in the script for some reason.
Finally, edit the bin/xmatters.py file. This is the python script that builds the payload and makes the HTTP call into xMatters. The KEYS variable details exactly what fields will be sent to xMatters. Add the new fields here:
# The keys from the alert to send to the xMatters Event
KEYS = [
From there, you just need to add the "result.user" and "result.newfield" properties and then add them to the form.
The really cool thing about this, is you can even use these in the recipients field. For example if your search result contained a "user" field, then we can enter this directly into the recipients box in the Alert Action on the Splunk side to as the user (or group) to target!
Huge thanks to Rob for his help with this!