From 29f638f8f6c5af62f45c92c70301b1f3bca54bfb Mon Sep 17 00:00:00 2001
From: Splunk Git Pusher <splunk@splunk.local>
Date: Sat, 31 Jan 2026 21:14:41 +0100
Subject: [PATCH] test3101

Pushed by: admin
License: 1CFBBDCA-31F (Starter)
Timestamp: 2026-01-31T21:14:41.472689
---
 .../README/alert_actions.conf.spec            |  16 ++++
 .../README/savedsearches.conf.spec            |  19 +++++
 .../appserver/static/logevent.png             | Bin 0 -> 1423 bytes
 apps/alert_logevent/bin/logevent.py           |  55 +++++++++++++
 .../alert_logevent/default/alert_actions.conf |  12 +++
 apps/alert_logevent/default/app.conf          |  18 +++++
 .../default/data/ui/alerts/logevent.html      |  76 ++++++++++++++++++
 apps/alert_logevent/default/restmap.conf      |   3 +
 apps/alert_logevent/metadata/default.meta     |  13 +++
 9 files changed, 212 insertions(+)
 create mode 100755 apps/alert_logevent/README/alert_actions.conf.spec
 create mode 100755 apps/alert_logevent/README/savedsearches.conf.spec
 create mode 100755 apps/alert_logevent/appserver/static/logevent.png
 create mode 100755 apps/alert_logevent/bin/logevent.py
 create mode 100755 apps/alert_logevent/default/alert_actions.conf
 create mode 100755 apps/alert_logevent/default/app.conf
 create mode 100755 apps/alert_logevent/default/data/ui/alerts/logevent.html
 create mode 100755 apps/alert_logevent/default/restmap.conf
 create mode 100755 apps/alert_logevent/metadata/default.meta

diff --git a/apps/alert_logevent/README/alert_actions.conf.spec b/apps/alert_logevent/README/alert_actions.conf.spec
new file mode 100755
index 00000000..261f052a
--- /dev/null
+++ b/apps/alert_logevent/README/alert_actions.conf.spec
@@ -0,0 +1,16 @@
+[logevent]
+
+param.event = <string>
+* Default value for event content sent to the receiver endpoint, which is eventually indexed
+
+param.host = <string>
+* Default field value of the host field of the newly indexed event
+ 
+param.source = <string>
+* Default field value of the source field of the newly indexed event
+
+param.sourcetype = <string>
+* Default field value of the sourcetype field of the newly indexed event
+
+param.index = <string>
+* Default field value for the destination index of the newly indexed event
diff --git a/apps/alert_logevent/README/savedsearches.conf.spec b/apps/alert_logevent/README/savedsearches.conf.spec
new file mode 100755
index 00000000..98b928f4
--- /dev/null
+++ b/apps/alert_logevent/README/savedsearches.conf.spec
@@ -0,0 +1,19 @@
+# Log event action settings
+
+action.log_event = [0|1]
+* Enable log event action
+
+action.logevent.param.event = <string>
+* Event content sent to the receiver endpoint, which is eventually indexed
+
+action.logevent.param.host = <string>
+* Field value of the host field of the newly indexed event
+
+action.logevent.param.source = <string>
+* Field value of the source field of the newly indexed event
+
+action.logevent.param.sourcetype = <string>
+* Field value of the sourcetype field of the newly indexed event
+
+action.logevent.param.index = <string>
+* Destination index of the newly indexed event
diff --git a/apps/alert_logevent/appserver/static/logevent.png b/apps/alert_logevent/appserver/static/logevent.png
new file mode 100755
index 0000000000000000000000000000000000000000..ef06054c7fc3ddd21ac758757487ec2639f35371
GIT binary patch
literal 1423
zcmV;A1#tR_P)<h;3K|Lk000e1NJLTq001xm001xu1^@s7AO*=000001b5ch_0Itp)
z=>Px)Nl8RORA>e5Sxtx>MHK$3XOhL;#QZ5y5y>vWc+g8O5`!R$Mh}8<cgNsCiD#Lf
ziSh3sOu&Qan$2$Tq@Wis)tf{S0!mO1S<FFC5{Z&*KvZHdy9rq(%i3MO>YeVcs_Cwo
z?#%umTQJkFs@~sMud4c0HIS=RxhRJMM1bMVkY?-*0s$vWlitB_4M&E*mCOsOBsErf
zM?N|%(s*WZ`5TbGX3>pDt@KQcGyIN$bzJF7Cs|9g&5`kn!e8}*7GbrasVMOYVnJF#
z67tKjZjPR;D*{b*ZALP4I6`sJwA$1q9|;H>*hoMF9W}OjCKe=Poo|MZE2%Oq+NHmB
z{y-{oYGZBUrPOw#QFlppnsG3O**>g>c3I6WkfOuh)QUm!H@+!j=E^>-alXRHvzN0~
zL{lMpW^;Dlv*1!gIGFZ)t5{2<t=x;zIexMSa>l>*`CYlx8>^&sfl6(X>B8(2SQMCs
z2f4hDoKu9-5hx6BJ^SYEut|&#eW8k|^rA0?MK{oXh|25}ygzg<gk9%P0;OLtIyi-c
zydO?!9`6qRrVfco+YvPQI{X_v1G!Xd$9B`J;|7A@Z5;3(!aTNP&Oc%*Y+vv4EV3hL
z@6Ia6&5uC(8zIu`@*g2^e^l-0Y3yIw>%jF+(e&)gwc(}Az;pvH|Cp5TB;}hs^4h}G
zYM|=91&HTKd5=Y|<1XDm&3gm^4pI8swe_JZ64*iBf7r2m9Wd$$z<Mb~{5zJbdk@oD
zV0T<kBaGb1WYG<<pqGZ|pP0#K>&f88xL$zJ4Fs%@va##2o|3pu2(HHU0)%eB5fZ_l
zv7W9Y5HbcV8KSNu0IghzB*<My01yHvK`=gal7>tE3KxAH0DWL0F(B2}_^wbp=Os#E
zUWhGKy?rrlA@m?i1j0#%ND2y8r~mIT$^O9D@K!oQ{7P-T7$3gPqBri+5lBHtLGU`?
z5OWH#3AGa&Y5Sg{wXq?jUGIaqzayf`f5w61_r|<3O;^joFKH4qi_AF8lCoXv3glK%
zRuD9pekLB-lMG*@GHdEjtLp|BEwp)G4|1ARjy65Wg0_nOzQoHMin3UB0}wqpKYN4D
z2U+~9?Oh)Mds@`aT<zGM5W#6mKnB{e-c-MlYN@)6Iiz-3Xt{=G*eL}5gY@<|ixReA
zv@&gxDAtv-FPMt*0g(IkBs@%GFYU3H(6eSc-rIY@RJxS)&H=dIVVoBAFlQ>4cH!{g
znWc0z%T{{;E`OQcFGp#f`*7GGT|yquQnnoJb^ujxKRJGsZZkQ(eV<zn2iw`yUu7mY
zlNlHlCM;KWrqI&X?Gcda3(X%bPgVVM`6cS!sy5}O8Epw;l`XmDngVtJ4kdUpUs2B@
zs->~Y9cpzsXgh#_Qease<+P@Hx#A<hWQt853*|JZ0$A}8U=)E60839HS9}BnML-tw
zBo#$r1w_EUje<@HHUJTjWqjHfG3W#m&Y_GcBpnYwRk59P<gA1^8hkBg@HHJh@20dv
zUh+MP65Egaww=IFQ=btJeL$ltdV$AD_a3_G`XQ7n_-BuRC=h|G>=p85j^5nc2-MRk
zJCD%~&8Ikb@l|rXm-hU7$nmG>cPrIjEa-PEW{*I$3;E^NgQm+5kpt_=k;{~B42Pe2
z82+MM>2|mi@>q9`tlR?M|DJCBcZ6R6+=<z+T~Is2S(5)K_M{+TKhRY96zT29S`1*M
za<QO|;$qQxz;d9mPazorS>}6MBT(F}u1eYgh~}Gk(_H#{psTJFQ`XrUn5Jvf)vJnP
dBmBRY`VYoHlO~sc5n%uT002ovPDHLkV1js}sI~wA

literal 0
HcmV?d00001

diff --git a/apps/alert_logevent/bin/logevent.py b/apps/alert_logevent/bin/logevent.py
new file mode 100755
index 00000000..c030cba9
--- /dev/null
+++ b/apps/alert_logevent/bin/logevent.py
@@ -0,0 +1,55 @@
+from __future__ import annotations
+import sys
+import json
+from future.moves.urllib.parse import urlencode
+from future.moves.urllib.request import urlopen, Request
+from future.moves.urllib.error import HTTPError, URLError
+from splunk.util import unicode
+
+def log_event(settings, event, source, sourcetype, host, index) -> bool:
+    if event is None:
+        sys.stderr.write("ERROR No event provided\n")
+        return False
+    query = [('source', source), ('sourcetype', sourcetype), ('index', index)]
+    if host:
+        query.append(('host', host))
+    url = '%s/services/receivers/simple?%s' % (settings.get('server_uri'), urlencode(query))
+    try:
+        encoded_body = unicode(event).encode('utf-8')
+        req = Request(url, encoded_body, {'Authorization': 'Splunk %s' % settings.get('session_key')})
+        res = urlopen(req)
+        if 200 <= res.code < 300:
+            sys.stderr.write("DEBUG receiver endpoint responded with HTTP status=%d\n" % res.code)
+            return True
+        else:
+            sys.stderr.write("ERROR receiver endpoint responded with HTTP status=%d\n" % res.code)
+            return False
+    except HTTPError as e:
+        sys.stderr.write("ERROR Error sending receiver request: %s\n" % e)
+    except URLError as e:
+        sys.stderr.write("ERROR Error sending receiver request: %s\n" % e)
+    except Exception as e:
+        sys.stderr.write("ERROR Error %s\n" % e)
+    return False
+
+
+if __name__ == "__main__":
+    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
+        sys.stderr.write("FATAL Unsupported execution mode (expected --execute flag)\n")
+        sys.exit(1)
+    try:
+        settings = json.loads(sys.stdin.read())
+        config = settings['configuration']
+        success = log_event(
+            settings,
+            event=config.get('event'),
+            source=config.get('source'),
+            sourcetype=config.get('sourcetype'),
+            host=config.get('host'),
+            index=config.get('index')
+        )
+        if not success:
+            sys.exit(2)
+    except Exception as e:
+        sys.stderr.write("ERROR Unexpected error: %s\n" % e)
+        sys.exit(3)
diff --git a/apps/alert_logevent/default/alert_actions.conf b/apps/alert_logevent/default/alert_actions.conf
new file mode 100755
index 00000000..503d275b
--- /dev/null
+++ b/apps/alert_logevent/default/alert_actions.conf
@@ -0,0 +1,12 @@
+[logevent]
+python.version = latest
+is_custom = 1
+label = Log Event
+description = Send log event to Splunk receiver endpoint
+icon_path = logevent.png
+payload_format = json
+
+param.source = alert:$name$
+param.sourcetype = generic_single_line
+param.host =
+param.index = main
\ No newline at end of file
diff --git a/apps/alert_logevent/default/app.conf b/apps/alert_logevent/default/app.conf
new file mode 100755
index 00000000..5d1cdcf0
--- /dev/null
+++ b/apps/alert_logevent/default/app.conf
@@ -0,0 +1,18 @@
+#   Version 10.0.2
+#
+# Splunk app configuration file
+#
+
+[ui]
+is_visible = 0
+label = Log Event Alert Action
+
+[launcher]
+author = Splunk
+description = Log Event Alert Action
+version=10.0.2
+
+[install]
+state = enabled
+is_configured = 1
+allows_disable = false
diff --git a/apps/alert_logevent/default/data/ui/alerts/logevent.html b/apps/alert_logevent/default/data/ui/alerts/logevent.html
new file mode 100755
index 00000000..14c7a0ac
--- /dev/null
+++ b/apps/alert_logevent/default/data/ui/alerts/logevent.html
@@ -0,0 +1,76 @@
+<form class="form-horizontal form-complex">
+    <div class="control-group">
+        <label class="control-label" for="logevent_event">Event</label>
+
+        <div class="controls">
+            <textarea name="action.logevent.param.event" id="logevent_event" style="width: 270px; max-width: 270px; height: 60px;"></textarea>
+        </div>
+    </div>
+    <div class="control-group">
+        <div class="controls">
+            <span class="help-block" style="display: block; position: static; width: auto; margin-left: 0;">
+                Specify event text for the logged event.
+                <br />
+                <a href="{{SPLUNKWEB_URL_PREFIX}}/help?location=learnmore.alert.action.logevent" target="_blank"
+                   title="Splunk help">Learn More <i class="icon-external"></i></a>
+                
+            </span>
+        </div>
+    </div>
+    <div class="control-group">
+        <label class="control-label" for="logevent_source">Source</label>
+
+        <div class="controls">
+            <input type="text" class="input-xlarge" name="action.logevent.param.source" id="logevent_source" placeholder="alert:$name$"/>
+        </div>
+    </div>
+    <div class="control-group">
+        <div class="controls">
+            <span class="help-block" style="display: block; position: static; width: auto; margin-left: 0;">
+                Value of the <span class="mono-space">source</span> field.
+            </span>
+        </div>
+    </div>
+    <div class="control-group">
+        <label class="control-label" for="logevent_sourcetype">Sourcetype</label>
+
+        <div class="controls">
+            <input type="text" class="input-xlarge" name="action.logevent.param.sourcetype" id="logevent_sourcetype" placeholder="generic_single_line"/>
+        </div>
+    </div>
+    <div class="control-group">
+        <div class="controls">
+            <span class="help-block" style="display: block; position: static; width: auto; margin-left: 0;">
+                Value of the <span class="mono-space">sourcetype</span> field.
+            </span>
+        </div>
+    </div>
+    <div class="control-group">
+        <label class="control-label" for="logevent_host">Host</label>
+
+        <div class="controls">
+            <input type="text" class="input-xlarge" name="action.logevent.param.host" id="logevent_host" />
+        </div>
+    </div>
+    <div class="control-group">
+        <div class="controls">
+            <span class="help-block" style="display: block; position: static; width: auto; margin-left: 0;">
+                Value of the <span class="mono-space">host</span> field.
+            </span>
+        </div>
+    </div>
+    <div class="control-group">
+        <label class="control-label" for="logevent_index">Index</label>
+
+        <div class="controls">
+            <input type="text" class="input-xlarge" name="action.logevent.param.index" id="logevent_index" placeholder="main"/>
+        </div>
+    </div>
+    <div class="control-group">
+        <div class="controls">
+            <span class="help-block" style="display: block; position: static; width: auto; margin-left: 0;">
+                Indicate a destination <span class="mono-space">index</span> for the logged event. Ensure that destination matches an existing index.
+            </span>
+        </div>
+    </div>
+</form>
\ No newline at end of file
diff --git a/apps/alert_logevent/default/restmap.conf b/apps/alert_logevent/default/restmap.conf
new file mode 100755
index 00000000..c0298006
--- /dev/null
+++ b/apps/alert_logevent/default/restmap.conf
@@ -0,0 +1,3 @@
+[validation:savedsearch]
+# Require event to be set if logevent action is enabled
+action.logevent = case('action.logevent' != "1", null(), 'action.logevent.param.event' == "action.logevent.param.event" OR 'action.logevent.param.event' == "", "No event text specified for log event action",  1==1, null())
diff --git a/apps/alert_logevent/metadata/default.meta b/apps/alert_logevent/metadata/default.meta
new file mode 100755
index 00000000..ddb8b569
--- /dev/null
+++ b/apps/alert_logevent/metadata/default.meta
@@ -0,0 +1,13 @@
+# Application-level permissions
+
+[]
+access = read : [ * ], write : [ admin, power ]
+
+[alert_actions]
+export = system
+
+[alerts]
+export = system
+
+[restmap]
+export = system
\ No newline at end of file