The RADAR Alert Action Add-on allows Splunk to create incidents in RADAR.
To use the RADAR Alert Action Add-on, you will need a RADAR API token with Incidents Write scope. You can create a token as a top-level RADAR administrator, or ask your local administrator to provide one for you.
To install the RADAR Alert Action Add-on, follow the instructions in the Splunk Add-ons documentation. Once the add-on is installed, perform the following steps:
If you want a different default name or description for an incident, you can change this system-wide setting by manually editing a configuration file and restarting Splunk.
The default values are defined in $SPLUNK_HOME/etc/apps/radar_alert_action/default/alert_actions.conf
, but your changes go into the local configuration file that overrides these defaults: $SPLUNK_HOME/etc/apps/radar_alert_action/local/alert_actions.conf
.
If this file does not already exist, create it with contents such as the following:
[radar]
param.radar_incident_name = New default name for created incidents
param.radar_incident_description = New default description for created incidents
Important: Overriding default configuration values will affect any existing alerts that used the previous defaults.
The RADAR Alert Action Add-on uses HTTPS to securely communicate with Splunk and RADAR. Typically, a Splunk instance should be configured with an SSL certificate chain signed by a trusted certificate authority. When configured in this manner, HTTPS requests should succeed without additional configuration or intervention.
If you need to run Splunk and the RADAR Alert Action Add-on on a host without a trusted certificate authority chain, you have two options. Both of these are less secure than the recommended default and should only be implemented if you understand the security implications. The options are described in the following sections, although we strongly recommend taking the time to configure your system securely.
See the Splunk documentation about SSL for more on this topic.
If you experience SSL certificate verification errors, the most straightforward option is to disable certificate verification. Only use this option if absolutely necessary, as disabling verification will remove a layer of security that is important for secure communications.
To disable certificate verification entirely, set the environment variable RADAR_SPLUNK_SKIP_SSL_VERIFY
to any value (such as 1
) when starting or restarting Splunk. For example:
RADAR_SPLUNK_SKIP_SSL_VERIFY=1 $SPLUNK_HOME/bin/splunk start
or
RADAR_SPLUNK_SKIP_SSL_VERIFY=1 $SPLUNK_HOME/bin/splunk restart
Once this is done, internal HTTPS requests between the RADAR Alert Action Add-on and Splunk will proceed without certificate verification. This should resolve any SSL-related errors that arise when configuring or using the add-on.
Splunk provides a set of default certificates that can be used out of the box. The certificates are self-signed, meaning they are not signed by a trusted certificate authority. Although not as secure as trusted certificates, using the default certificates is an option that can be made to work if for some reason you cannot set up a properly secured certificate and do not want to disable verification entirely.
The process of adding certificates will depend on your system and can be troublesome to get right. Here are some tips that may be useful:
$SPLUNK_HOME/etc/auth/cacert.pem
REQUESTS_CA_BUNDLE=$SPLUNK_HOME/etc/auth/cacert.pem splunk start
$SPLUNK_HOME/var/log/splunk/splunkd.log
for more information. Of course, you can always contact us with any questions and we will do our best to help.If you see an error page that displays a 500 Internal Server Error when attempting to access the configuration page for the RADAR Alert Action Add-on, one possible cause is SSL certificate verification failure. You can check
$SPLUNK_HOME/var/log/splunkd.log
for diagnostic output to help determine if this is the case. If so, please see the above sections under SSL Certificate Verification for instructions.
If you continue to see 500 errors or other kinds of failure messages in splunkd.log
, or are unable to resolve the problem with the instructions in this document, please contact RADAR.
When you click Save on the add-on configuration page, the system connects to RADAR to verify the provided API token. If you receive an error, please double-check that your token was set up with the Incidents Write check box selected and that it has been copied and pasted correctly.
If expected incidents do not appear in RADAR, check the following to narrow down the problem.
Every attempt to create an incident will be mentioned in $SPLUNK_HOME/var/log/splunkd.log
. Check this file to confirm that incident creation is being attempted, keeping an eye out for any errors that may have been logged in case of failure.
It can also be helpful to monitor triggered alerts to confirm whether triggers are happening when expected. You can set this up in Splunk by adding an alert to a list of triggered alerts.
When you add an alert to a list of triggered alerts, you can see records of recently triggered alerts from the Triggered Alerts page or from an Alert Details page. Any alerts that would have created incidents in RADAR will display here.
If you continue to experience issues, please contact RADAR and we will be happy to help.
Please feel free to contact RADAR for assistance with any questions about using the RADAR Alert Action Add-on.
Email: support@radarfirst.com
Phone: 855-733-9888
The RADAR Alert Action Add-on is a licensed product of RADAR, Inc.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.