Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Alerting: Send ip/user to script as a parameter

hortonew
Builder
‎02-16-2012 05:28 AM

I have an alert that tells me whenever a failed authentication happens on our devices. Currently, its action is to call a batch (later python) script that does a net send to our xp machines saying that a failed authentication occurred. We want to add in some usable data to this alert so we don't have to check Splunk each time for what happened.

Is it possible to add data from the returned search as a parameter to the script, as either a parameter or environmental variable?

Edit: My answer may be somewhere in here: http://splunk-base.splunk.com/answers/3019/scripted-alert-question. I'll post my solution if I come up with one.

2nd Edit: I wrote a couple python scripts to handle Failed Authentication to network devices, as well as alerts for when Port Security is tripped. You can find them here: https://github.com/hortonew/ServerBackups/tree/master/scripts/python/Splunk

Tags (3)
0 Karma
Reply

itinney
Path Finder
‎02-16-2012 08:03 AM

All the results are saved in a csv file. One of the arguments passed in to every script is the full path to the results.csv file. So have your script open that file and parse the events.
If you are using Windows, you might find it easier to use the environment variables rather than script arguments because I have found that Windows does not cope with arguments that have whitespace in them. The documentation is here:
Configurescriptedalerts

Reply

hortonew
Builder
‎02-16-2012 08:21 AM

Thanks. Last time I tried calling a python script straight from the Splunk alert system, it didn't get executed. Any idea why? Would it have something to do with not having a python path at the top of the script? If so, what should I put for it to use Splunk's version of python?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...