topic How do I pass event arguments to scripts run in response to Splunk alerts? in Alerting

How do I pass event arguments to scripts run in response to Splunk alerts?

Alan_Bradley — Fri, 19 Mar 2010 23:50:34 GMT

When I configure a script in Splunk to run when an alert fires, how I can pass event arguments ( node name, message, etc) to the script?

Re: How do I pass event arguments to scripts run in response to Splunk alerts?

matt — Fri, 19 Mar 2010 23:53:26 GMT

Configure scripted alerts with savedsearches.conf. Use the $SPLUNK_HOME/etc/system/README/savedsearches.conf.example as an example, or create your own savedsearches.conf.

Complete documentation on the subject can be found here: http://docs.splunk.com/Documentation/Splunk/5.0/Alert/Configuringscriptedalerts

Re: How do I pass event arguments to scripts run in response to Splunk alerts?

jcott28 — Tue, 01 May 2012 17:50:07 GMT

The first answer shows how to create alerts, not how to have the scripted alert pass in event arguments. i.e. hostname, message, etc. Splunk appears to pass in the 8 arguments in the documentation, but doesn't allow you to include additional information.

If I have an alert that is trigger, and part of the search that triggers the alert is host="MYMACHINE*", it would be great to know in the alert which MYMACHINE# the alert was found on. Is there a way to do that?

Re: How do I pass event arguments to scripts run in response to Splunk alerts?

gkanapathy — Tue, 01 May 2012 18:55:47 GMT

To send non-fixed information to an alert, you must write your alert script to open the results file. The results file path is by default is argument number 8, and is in CSV format. Your script can open and parse out results from this file.

Re: How do I pass event arguments to scripts run in response to Splunk alerts?

tsatsost — Wed, 25 Nov 2015 16:24:42 GMT

and where is that file?