Alerting

How do i get the parameters passed to the script in Alert action

nithin_shubhana
Explorer

Hi,

I am working on the alerting module of the Splunk and would like to execute a script when alert gets triggered and from the documents I see that http://docs.splunk.com/Documentation/Splunk/6.0.2/alert/ConfiguringScriptedAlerts

when alerts gets triggered, it will pass some set of arguments to the script. Is my understanding correct? If my understanding is wrong kindly guide me with proper meaning.

Assuming the above understanding is correct, to know the value of each of the parameter, I access it by using: os.environ['SPLUNK_ARG_0'] and so on in the Python scripting correct?

NOTE: I am trying out this in the Windows machine, so do I need to use os.environ['$SPLUNK_ARG_0'] instead of os.environ['SPLUNK_ARG_0']??

Please let me know if I need to explicitly set anything so as to pass the arguments from the Splunk to the script.

Thanks in advance.

0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

Are you using Python in Windows? That's not how you use os.environ in Python. You don't specify the environment variable with a leading '$'.

[shaskell@docker ~]$ export FOO=la
[shaskell@docker ~]$ python
Python 2.7.5 (default, Jun 24 2015, 00:41:19) 
[GCC 4.8.3 20140911 (Red Hat 4.8.3-9)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> print(os.environ['FOO']);
la

You'd only access the argument like $SPLUNK_ARG_0 if it were from a shell script in Unix or %SPLUNK_ARG_0% if it were from a batch file in Windows.

You can also access the arguments positionally in Python. Given the following script:

#!/usr/bin/env python
import sys
print(sys.argv[0])
print(sys.argv[1])
[shaskell@docker ~]$ ./foo.py arg1
./foo.py
arg1

So sys.argv[0] is $SPLUNK_ARG_0 (name of the script) and so on. Also note that the 9th argument is the Splunk session key in case you want to interact with the REST API from your script.

0 Karma

starcher
Influencer

The arguments are always passed and there is nothing you have to do special. Also, make sure your alert script in python starts with a hash bang that points to the python for splunk appropriate to your path on your windows installation.

0 Karma

axl88
Communicator

I downvoted this post because please try batch script with some parameter as you have described. it doesn't run with splunk while it is totaly fine on cmd.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...