topic Re: Get environment variables in alert action script? in Splunk Search

Get environment variables in alert action script?

jef152 — Mon, 13 Nov 2017 19:38:35 GMT

How do I get the environment variables, for example $env:user$ into my alert action script? I've tried adding a parameter to my alert_actions.conf (param.envuser=$env:user$) but that just shows up as the literal $env:user$ in my script, not the logged in user. Any ideas?

Any tips or hints appreciated.

Thanks,

Jon

Re: Get environment variables in alert action script?

burwell — Mon, 13 Nov 2017 23:12:14 GMT

By user do you mean the owner of the alert?

Do you mean $owner$ as documented in http://docs.splunk.com/Documentation/Splunk/7.0.0/Alert/EmailNotificationTokens

Re: Get environment variables in alert action script?

jef152 — Tue, 14 Nov 2017 20:38:06 GMT

No, not the owner of the alert. For example, if a user is looking at an alert in Incident Review in ES and uses the 'Run Adaptive Response' to run my script on an alert, I want the script to capture that logged in user(I believe this is the $env:user$) that ran the script, not necessarily the owner of the alert.

Re: Get environment variables in alert action script?

jef152 — Tue, 29 Sep 2020 17:01:46 GMT

Well, after some experimentation and staring at the rest command page as well as the sendalert page, I think I have a solution:

In my alert_actions.conf, I put the following command(used a generic alert action name):

command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$

It basically joins a rest call of the local context user to the search alert as auth_user_id, then pipes to sendalert, adding the auth_user_id to a param. Seems to work so far....

Re: Get environment variables in alert action script?

jef152 — Wed, 06 Dec 2017 19:49:31 GMT

I'll post this as an official answer after having done some more testing. It does seem to work well.

In my alert_actions.conf, I put the following command(used a generic alert action name):

 command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$