Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract custom parameters for Custom alert action alerts

pdantuuri0411
Explorer
‎04-30-2019 12:25 PM

Hi,

I see that we can add various variables by default in the script for custom alert action like search term, trigger reason etc.
How can we add custom parameters from the alert link like the hostname, source or sourcetype etc. and use them in the script.

Regards,

Tags (3)
0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-01-2019 04:55 AM

Hi,

Can you please let us know whether you would like to fetch host, source and sourcetype from Splunk Query output ?

0 Karma
Reply

pdantuuri0411
Explorer
‎05-01-2019 10:13 AM

Yes. That is correct. The output from the alert has the fields host, source and sourcetype which I want to use for creating a custom alert action.

Right now I am exporting a csv file with the result and created a script to check the file for the required info. Is this the best option or do we have anyother options?

0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-01-2019 11:14 AM

You can create script in bash or python and read payload value, in payload value you will able to find path for results.csv.gz and in this file output is stored when splunk query ran. If you are writing script in bash then you can read result using zcat command from this compressed results file and then use for loop to read each and every events and perform necessary action as per your requirement.

On this https://answers.splunk.com/answers/734938/custom-alerts-how-to-use-configured-variables-and-1.html#a... answer thread, I have provided part of bash script to read payload and extract results.csv.gz path.

If you want to write script in python then have a look at example here https://docs.splunk.com/Documentation/Splunk/7.2.6/AdvancedDev/ModAlertsBasicExample and once you have results.csv.gz absolute directory path then you need to use for loop to perform necessary action on each event based on your requirement.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...