I am using both the email and the "run a script" methods of passing alert info to other products or people. I have info stored in the alert description field that is used for alert escalation. I can pass that in the body of the email by inserting the token $description$
. I need to be able to get the description into one of the 8 variables that are passed to the script when it is run to pass it to my enterprise message console. How can I do that? I am already using SNMP successfully, but the 8 variables do not contain the description of the alert.
I don't know the official method, but you could try a hacky way.
Put eval description="My description"
into the search string, then in your script get the description out with echo $SPLUNK_ARG_2 | sed -e 's/.*description=\(.*\)/\1/'
Assuming the search string comes out in ARG_2. See http://docs.splunk.com/Documentation/Splunk/6.3.1/Alert/Configuringscriptedalerts
Thx for that idea. I just tested and it does show up in variable 2 and 3. Worst case, I can go with that... I also tried making:
| eval description = $description$
but that didn't work.
I also just tested using a macro named comment(1) and that worked very similarly to your approach.