How can I get alert tokens inserted in one of the ...

woodsob · ‎12-04-2015

I am using both the email and the "run a script" methods of passing alert info to other products or people. I have info stored in the alert description field that is used for alert escalation. I can pass that in the body of the email by inserting the token $description$ . I need to be able to get the description into one of the 8 variables that are passed to the script when it is run to pass it to my enterprise message console. How can I do that? I am already using SNMP successfully, but the 8 variables do not contain the description of the alert.

jplumsdaine22 · ‎12-04-2015

I don't know the official method, but you could try a hacky way.

Put eval description="My description" into the search string, then in your script get the description out with echo $SPLUNK_ARG_2 | sed -e 's/.*description=$.*$/\1/'

Assuming the search string comes out in ARG_2. See http://docs.splunk.com/Documentation/Splunk/6.3.1/Alert/Configuringscriptedalerts

woodsob · ‎12-04-2015

Thx for that idea. I just tested and it does show up in variable 2 and 3. Worst case, I can go with that... I also tried making:
| eval description = $description$
but that didn't work.

I also just tested using a macro named comment(1) and that worked very similarly to your approach.

How can I get alert tokens inserted in one of the eight "run a script" variables?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms