Set priority in Splunk OpsGenie App that is accessible in OpsGenie

Question

I have created some Splunk alerts and triggers OpsGenie succesfully via Opsgenie App, Now I would like to set priority in the alert. However a field related to priority is missing. These are the ones returned from the REST API:

action.opsgenie.command
action.opsgenie.description
action.opsgenie.forceCsvResults
action.opsgenie.hostname
action.opsgenie.icon_path
action.opsgenie.is_custom
action.opsgenie.label
action.opsgenie.maxresults
action.opsgenie.maxtime
action.opsgenie.payload_format
action.opsgenie.track_alert
action.opsgenie.ttl

And within Splunk UI one can only set api_url (action.opsgenie.param.api_url)

How can I set priority or a custom field and then access it in the Splunk Integration in OpsGenie?

Answer 1

I contacted Opsgenie Support for guidance and was told that I could try out the field {{_payload}} to see all available fields.

_payload:

app=search, 
configuration={
                api_url=132-123-123-123
              }, 
server_host=foo, 
sid='',
result={}, 
results_file=...,
results_link=...,
session_key=...,
search_uri=...,
search_name=my_alert 
server_uri=https://foobar}

So the api_url appears in a configuration object. Interesting. I added a custom field named action.opsgenie.param.prio=P5 and it also ended up in _payload:

configuration={
                api_url=132-123-123-123,
                prio=P5
              }, 

I can now access it in the Splunk Integration with: {{_payload.configuration.prio}}

The best thing would be if OpsGenie added a specific field for priority so that the Splunk App in Opsgenie can be pre-configured. But this works well enough I guess.

I hope this will be useful for others as well