http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurescriptedalerts
says that
The command line arguments that Splunk passes to the script are:
$0 = Script name
$1 = Number of events returned
$2 = Search terms
$3 = Fully qualified query string
$4 = Name of saved search
$5 = Trigger reason (i.e. "The number of events was greater than 1")
$6 = Browser URL to view the saved search
$7 = This option has been deprecated and is no longer used
$8 = File where the results for this search are stored (contains raw results)
So, I've got a couple of snippets of info, but I want to send the severity that I set in splunk to be passed (if it can't what's the point of having that field, right?
Is there a way to pass the severity along to the script? If I put some arguments after the script will they be passed as $9 ??
FYI, I'm passing this to a bash script that simply calls zensedevent.
Thanks.
Another approach I've been using is to simply use a small number of alert scripts. The severity of the alert is encoded in the name of the script, e.g. alert2mgr_low, alert2mgr_medium and so on.
For the script, I have one common script which examines its name, the $0 argument, looking for 'low', 'medium', 'high', etc and encodes the appropriate severity into our alert manager. The only cost then is a bunch of links from the various names to the one script.
So, i asked the dev for this particular piece of code, and it can be done.
1 - Need to modify alert_actions.conf to pass a 9th argument as
$alert.severity$
get the name from savedsearches.conf:
> alert.severity = <int>
> * Sets the alert severity level.
> * Valid values are: 1-debug, 2-info, 3-warn, 4-error, 5-severe, 6-fatal
> * Defaults to 3.
2 - you need to modify runshellscript to account for this 9th argument.
Im no coder, but a quick look tells me at least one thing you need to change. From the runshellscript.py:
# make sure cmd_args has length of 9
cmd_args = cmd_args[:9]
for i in xrange(9-len(cmd_args)):
cmd_args.append("")
cmd_args[0] = script
cmd_args[8] = path
Might want to test it out before you change it..
ive had people successfully do it with the above instructions.
Did you have any luck with this? I am trying to do the same thing and have gotten stuck.
No. I guess I'll just have to have a few scripts for the various severity levels.
Here's the answer:
http://docs.splunk.com/Documentation/Splunk/4.2.3/user/SchedulingSavedSearches
Severity labels are informational in purpose and have no additional functionality. You can use them to quickly pick out important alerts from the alert listing on the Alerts page, which you can get to by clicking the Alerts link in the upper right-hand corner of the Splunk interface.
Severity labels are informational in purpose and have no additional functionality. You can use them to quickly pick out important alerts from the alert listing on the Alerts page, which you can get to by clicking the Alerts link in the upper right-hand corner of the Splunk interface.
And... If you try to add additional arguments they don't get passed as arguments, but as the script name itself:
10-18-2011 00:03:50.562 +0000 ERROR script - command="runshellscript", Cannot find script at /opt/splunk/bin/scripts/alert_splunk_troubleshoot.sh foofoofoo