I have an alert that tells me whenever a failed authentication happens on our devices. Currently, its action is to call a batch (later python) script that does a net send to our xp machines saying that a failed authentication occurred. We want to add in some usable data to this alert so we don't have to check Splunk each time for what happened.
Is it possible to add data from the returned search as a parameter to the script, as either a parameter or environmental variable?
All the results are saved in a csv file. One of the arguments passed in to every script is the full path to the results.csv file. So have your script open that file and parse the events.
If you are using Windows, you might find it easier to use the environment variables rather than script arguments because I have found that Windows does not cope with arguments that have whitespace in them. The documentation is here: Configurescriptedalerts
Thanks. Last time I tried calling a python script straight from the Splunk alert system, it didn't get executed. Any idea why? Would it have something to do with not having a python path at the top of the script? If so, what should I put for it to use Splunk's version of python?