This repo includes a Splunk app and a custom alert action.
The main goal of this alert action is to update Splunk's Global Banner as a result of a scheduled search.
This alert action is designated for the system's admins to use in times when a message is to be displayed to all users, for example a general outage that would affect performance.
-
The action requires 1 input:
Message- Banner notification text.
-
The action can also accept 3 optional inputs:
background_color- Indicates the color of the banner: [green | blue | yellow | orange | red |$result.color$].
-->$result.color$is used for assigning dynamic values based on search results. Default: blue.hyperlink- The link included in the banner, must start withhttp://orhttps://.hyperlink_text- Display text for the link in the banner.
- To use the alert action, the user must be admin or either be assigned with the
can_edit_global_bannerrole. (see authorize.conf). - Only one Global Banner could be displayed at a given time.
- The Global Banner will be displayed until it reaches its
expiration_timeoutwhich derives from the field$alert.expires$. Default: 24h (also the max time, longer than that the action is killed).