New in Splunk Enterprise 6.3, custom alert actions (also called modular alerts) allow a developer to define an integration that can be reused multiple times and in different ways based on the data being presented to it. Custom alert actions interact specifically with the alerts that were already present in Splunk. There are a few new components that go into making a custom alert action (let's call this a CAA). We will discuss the various components of a CAA and build a very simple CAA that will output the results of the search into a file within the App.

The first step in the creation of a CAA is to determine what your alert is intending to do. While it is possible for your alert to do multiple actions, do not try and combine ...