Alerting

Extract custom parameters for Custom alert action alerts

Explorer

Hi,

I see that we can add various variables by default in the script for custom alert action like search term, trigger reason etc.
How can we add custom parameters from the alert link like the hostname, source or sourcetype etc. and use them in the script.

Regards,

Tags (3)
0 Karma

SplunkTrust
SplunkTrust

Hi,

Can you please let us know whether you would like to fetch host, source and sourcetype from Splunk Query output ?

0 Karma

Explorer

Yes. That is correct. The output from the alert has the fields host, source and sourcetype which I want to use for creating a custom alert action.

Right now I am exporting a csv file with the result and created a script to check the file for the required info. Is this the best option or do we have anyother options?

0 Karma

SplunkTrust
SplunkTrust

You can create script in bash or python and read payload value, in payload value you will able to find path for results.csv.gz and in this file output is stored when splunk query ran. If you are writing script in bash then you can read result using zcat command from this compressed results file and then use for loop to read each and every events and perform necessary action as per your requirement.

On this https://answers.splunk.com/answers/734938/custom-alerts-how-to-use-configured-variables-and-1.html#a... answer thread, I have provided part of bash script to read payload and extract results.csv.gz path.

If you want to write script in python then have a look at example here https://docs.splunk.com/Documentation/Splunk/7.2.6/AdvancedDev/ModAlertsBasicExample and once you have results.csv.gz absolute directory path then you need to use for loop to perform necessary action on each event based on your requirement.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!