https://community.splunk.com/t5/Getting-Data-In/Scripted-Alert-Question/m-p/14351#M1459 <P>No the arguments do not contain the results.</P> <P>I wanted this too when I first start using splunk, but think about it this way: The results from your search could contain thousands of events, which is way too much info to pass around on the command line. So it's necessary for the results to be saved to a file first. Then splunk passes your script the name of that file as <CODE>$8</CODE>.</P> <P></P><HR /><P></P> <P>Here is something you could get started with:</P> <P><CODE>my_custom_script.py</CODE>:</P> <PRE><CODE>import gzip import csv from subprocess import call def openany(p): if p.endswith(".gz"): return gzip.open(p) else: return open(p) event_count = int(sys.argv[1]) # number of events returned. results_file = sys.argv[8] # file with search results for row in csv.DictReader(openany(results_file)): # Build a command line to call based on fields from splunk output my_command = [ "ssh", row["shost"], "-l", row["suser"], .... ] call(my_command) </CODE></PRE> Thu, 27 May 2010 06:15:51 GMT Lowell 2010-05-27T06:15:51Z https://community.splunk.com/t5/Getting-Data-In/Scripted-Alert-Question/m-p/14350#M1458 <P>Is there a way to pass the <EM>result</EM> of a savedsearch to a script? For example, if the search returns:</P> <P>suser duser shost dhost me you mine yours you me yours mine</P> <P>I’d like the script to the “shost” column and perform certain function based on the content of shost.</P> <P>These are the arguments Splunk passes to the script. But I’m not sure they contain the results.</P> <PRE><CODE>* $0 = script name. * $1 = number of events returned. * $2 = search terms. * $3 = fully qualified query string. * $4 = name of saved splunk. * $5 = trigger reason (i.e. "The number of events was greater than 1"). * $6 = Browser URL to view the saved search. * $7 = This option has been deprecated and is no longer used * $8 = file where the results for this search are stored (contains raw results). </CODE></PRE> Thu, 27 May 2010 05:46:58 GMT https://community.splunk.com/t5/Getting-Data-In/Scripted-Alert-Question/m-p/14350#M1458 ubko 2010-05-27T05:46:58Z https://community.splunk.com/t5/Getting-Data-In/Scripted-Alert-Question/m-p/14351#M1459 <P>No the arguments do not contain the results.</P> <P>I wanted this too when I first start using splunk, but think about it this way: The results from your search could contain thousands of events, which is way too much info to pass around on the command line. So it's necessary for the results to be saved to a file first. Then splunk passes your script the name of that file as <CODE>$8</CODE>.</P> <P></P><HR /><P></P> <P>Here is something you could get started with:</P> <P><CODE>my_custom_script.py</CODE>:</P> <PRE><CODE>import gzip import csv from subprocess import call def openany(p): if p.endswith(".gz"): return gzip.open(p) else: return open(p) event_count = int(sys.argv[1]) # number of events returned. results_file = sys.argv[8] # file with search results for row in csv.DictReader(openany(results_file)): # Build a command line to call based on fields from splunk output my_command = [ "ssh", row["shost"], "-l", row["suser"], .... ] call(my_command) </CODE></PRE> Thu, 27 May 2010 06:15:51 GMT https://community.splunk.com/t5/Getting-Data-In/Scripted-Alert-Question/m-p/14351#M1459 Lowell 2010-05-27T06:15:51Z https://community.splunk.com/t5/Getting-Data-In/Scripted-Alert-Question/m-p/14352#M1460 <P>Since my result set is only a few lines, I was looking for a direct solution. Thank you for your suggestion and I think it'll definitely solve my immediate problem.</P> Thu, 27 May 2010 22:41:57 GMT https://community.splunk.com/t5/Getting-Data-In/Scripted-Alert-Question/m-p/14352#M1460 ubko 2010-05-27T22:41:57Z