I’m automating Splunk alerts via Terraform, integrating with Jira. The ‘$search$’ variable populates, but ‘$result$’ details do not. How can I attach search outputs or offer a result link?
resource "splunk_alert_config" "alert_item" {
label = "Demo Alert"
queryExp = "source=prod_logs"
notify = true
jiraConf = {
account = "jiraUser"
project = "JIRAProject"
summary = "Alert: $queryData$"
}
}
hey, try to output a splunk search link into a var then pass that url in the jira summary or description. not all results are passed by default so using splnk’s api to fetch results then dynamically inserting it might be your best bet
The integration challenge you’re encountering appears to originate from how Splunk’s response details are handled in the automation process. In my experience, the simplest workaround involves utilizing Splunk’s REST API post alert execution. This way, you can retrieve detailed results and update the Jira issue accordingly through an API call. It is somewhat more involved because it requires an additional scripting layer, but it provides the necessary flexibility to seamlessly attach specific search outcomes or result links to the Jira fields.
In a previous project, I faced a similar integration challenge and opted for a customized approach. Instead of trying to directly pass Splunk search results within Terraform, I developed a script that gets triggered post-alert. This script interfaces with Splunk’s API to extract detailed search outcomes and then updates Jira issues by inserting a link or summary information into the necessary fields. Relying on an external script allowed for greater flexibility and error handling, ensuring that no critical information is lost in the automation process.