Hi,
Can you please let us know whether you would like to fetch host, source and sourcetype from Splunk Query output ?
Yes. That is correct. The output from the alert has the fields host, source and sourcetype which I want to use for creating a custom alert action.
Right now I am exporting a csv file with the result and created a script to check the file for the required info. Is this the best option or do we have anyother options?
You can create script in bash or python and read payload
value, in payload value you will able to find path for results.csv.gz
and in this file output is stored when splunk query ran. If you are writing script in bash then you can read result using zcat
command from this compressed results file and then use for
loop to read each and every events and perform necessary action as per your requirement.
On this https://answers.splunk.com/answers/734938/custom-alerts-how-to-use-configured-variables-and-1.html#a... answer thread, I have provided part of bash script to read payload and extract results.csv.gz path.
If you want to write script in python then have a look at example here https://docs.splunk.com/Documentation/Splunk/7.2.6/AdvancedDev/ModAlertsBasicExample and once you have results.csv.gz absolute directory path then you need to use for
loop to perform necessary action on each event based on your requirement.