I want to create a custom alert action that when the alert fires, it takes the host from the search results, and uses it is a token to remotely restart a host. I can get the REST URL right, but how do I get the alert to use host as a token?
Fields from the first row of results are available as tokens to be passed to the custom action - $result.field$
Can you show me how that would sort of look?
Start with a search which finds the hosts that you want to alert on.
So what I have is this so far, in alert actions.conf. Already have the search, dealing with the alert portion.
[restart_splunk]
is_custom = 1
filename = restart.sh
In /opt/bin/scripts, I have this script
curl -k -u admin:test1234 https://$result.host$:8089/services/server/control/restart -X POST
The script doesn't have access to the tokens, they would need to be passed as arguments to your script.
Advanced options for working with custom alert actions - Splunk Documentation
Yeah I keep getting this
It isn't finding the script, will keep trying