Hi, I'm new to creating custom alert action & I'm following the documentations provided by Splunk to create this. While I've got my alert to work, however I couldn't find a mechanism to inject the following two items to my application:
In my use-case I need both of them & I'm not sure how to do that. I tried following another solved answer on similar lines but this hasn't helped me so far. Here's what I did in the savedsearches.conf.:
.....
.....
action.tmc.param.result_count = $job.resultCount$
action.tmc.param.search_query = $job.search$
.....
.....
.....
I've also defined the savedsearches.conf..spec file as follows:
.....
.....
action.tmc.param.result_count = <integer>
action.tmc.param.search_query = <string>
.....
.....
.....
However in my python script, when I print out the configuration sent out, I don't see these two arguments passed. I've restarted Splunk but that hasn't helped either.
I would really appreciate if someone can please help guide me to the right direction. Thanks!