I have an alert that tells me whenever a failed authentication happens on our devices. Currently, its action is to call a batch (later python) script that does a net send to our xp machines saying that a failed authentication occurred. We want to add in some usable data to this alert so we don't have to check Splunk each time for what happened.
Is it possible to add data from the returned search as a parameter to the script, as either a parameter or environmental variable?
Edit: My answer may be somewhere in here: http://splunk-base.splunk.com/answers/3019/scripted-alert-question. I'll post my solution if I come up with one.
2nd Edit: I wrote a couple python scripts to handle Failed Authentication to network devices, as well as alerts for when Port Security is tripped. You can find them here: https://github.com/hortonew/ServerBackups/tree/master/scripts/python/Splunk
All the results are saved in a csv file. One of the arguments passed in to every script is the full path to the results.csv file. So have your script open that file and parse the events.
If you are using Windows, you might find it easier to use the environment variables rather than script arguments because I have found that Windows does not cope with arguments that have whitespace in them. The documentation is here:
Thanks. Last time I tried calling a python script straight from the Splunk alert system, it didn't get executed. Any idea why? Would it have something to do with not having a python path at the top of the script? If so, what should I put for it to use Splunk's version of python?