Suggestion: Add all results in the description

[arthurblabla]

Be able to add all results dynamically in the description rather than in the attachment

[guilhemmarchand]

Hi @arthurblabla

Thanks for opening an issue. May you describe a bit further what would you like as a feature? I understand having the option to include the same results than you can get within the attachment but within the description field?

Guilhem

[arthurblabla]

Hi Guilhem, That's right ! I have 2 reasons for that in my situation : 1- The preview feature doesn't not work properly on my Jira Cloud (even using .csv). 2- When I receive a notification from Jira on issue creation, I only have the title/description, and I would love to have the search results in it.

PS: Thanks a lot for your awsome job on the app !

[guilhemmarchand]

Hi @arthurblabla,

Right, and thanks ;-)

Ok so, what I believe for "2" you might be missing something you can get do very easily with Splunk alert actions, you can actually recycle any results from the alert and call as a token, some form of a variable to say it differently.

Say your Splunk alert generation a result under the forma a table stats:

action,user,src,dest,message
failure,foo,acme server1,acme server2,"The user has attempted to access blabla, authorization was more blabla"

Each field you can access using $result.$, so for example you could add in your description field:

Incident summary:

- action: $result.action$
- user: $result.user$
- src: $result.src$
- dest: $result.dest$
- message: $result.message$

As well you could well form a summary field in SPL and do whatever you prefer, like

| eval summary = "User " . user . " performed an action resulting in " . action . " more blabla"

Then use

- incident summary: $result.summary$

Inserted the raw events / raw results in the JIRA ticket would be a mistake in term of interest and value, what you need to provide are the key information in the order and formating that makes sense to your context, providing the raw results part os the body of the ticket would be pretty much ugly, over killing and non desirable.

I hope this makes sense, feel free to let me know.

Guilhem

[arthurblabla]

Hi @guilhemmarchand,

Thank you for your very complete answer. As I have many alerts with many different result fields, it would have been easier for me to have something that put all the results in a nice format at the end of the description. But if it is not in the spirit of your app, no problem ! I'll add the result.fields manually.

Thank you very much for your quick and complete answers. And thanks again for your great app !Arthur

[guilhemmarchand]

Hi @arthurblabla

It is technically possible to have an option that would add all results in the JIRA description field, I will keep your issue for this purpose.

Note that this wouldn't be enabled by default (this would most likely be a new dropdown in the alert option when enable the alert action on a given alert) especially because this would potentially be defeating the deduplication feature if anything in the results changes (which would be likely even if the alert triggers for the exact same event)

I will work on this, and thanks for your support ;-)

Guilhem

[aleksf]

Hi @guilhemmarchand, this feature would be nice indeed and would provide safeguards against making mistakes while trying construct the output, especially for alerts with complex output. Is it still on the roadmap?

[guilhemmarchand]

Hi @aleksf

Nope it wasn't on my radar! re-opening it

Guilhem

[sanjay900]

We had a similar need for something like this ourselves, and ended up just using splunks | foreach * to append everything to a single field in a table structure, and then used that for the description.

The biggest problem you will hit is that there is a maximum count for characters in a Jira ticket description, and it is quite easy to hit that if you are not careful,

Something like this should achieve what your after:

| foreach * 
    [| eval jira_description=mvappend(jira_description, "<<FIELD>>: ".'<<FIELD>>') ] 
| eval jira_description=mvjoin(jira_description,"<<TEMP_NEWLINE>>") 
| rex mode=sed field="jira_description" "s/<<TEMP_NEWLINE>>/\n/g" 
| eval jira_description=substr(jira_description, 1, 32767)
| table jira_description

This gives you the ability to format things however you want as well, for example if you wanted the data in a different format (for example a jira table), you could change this slightly to achieve that as well.

[M-SekTech]

Hi @arthurblabla

It is technically possible to have an option that would add all results in the JIRA description field, I will keep your issue for this purpose.

Note that this wouldn't be enabled by default (this would most likely be a new dropdown in the alert option when enable the alert action on a given alert) especially because this would potentially be defeating the deduplication feature if anything in the results changes (which would be likely even if the alert triggers for the exact same event)

I will work on this, and thanks for your support ;-)

Guilhem

So to confirm then, adding all the results to the description of a ticket is not currently supported?