Alerting

How to pass fields as arguments when using "Run a Script" within an alert?

agoktas
Communicator

Hello,

I have a search that provides the results I need, and now I need to use these results (windows services) as arguments in a powershell script (using the "Run a Script" section when creating an Alert.

I was hoping to pass something like this, in that "Run a script" field: c:\StartServices.ps1 "host" "servicename"
As you can see, I'm using the host & servicename fields to pass as arguments to the powershell script.

But the question is: can I do this? If so, am I doing this correctly, or is there a different way to do this?

Thanks!

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You're getting passed a number of command line arguments already, one of these is the path to a gzipped csv results file. Your script can pluck whatever field values it needs from there.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Configuringscriptedalerts#Access_arguments_t...

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You're getting passed a number of command line arguments already, one of these is the path to a gzipped csv results file. Your script can pluck whatever field values it needs from there.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Configuringscriptedalerts#Access_arguments_t...

martin_mueller
SplunkTrust
SplunkTrust

No, they're all in the realms of customers... there are plenty of scripting-related places on the web that can help you though.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'll go through your comments paragraph by paragraph.

After running a search job, Splunk stores the search results in a gzipped CSV file. If you're calling a scripted alert, that alert is passed a number of fixed arguments that you cannot change, one of them is the path to the results file. That results file will contain your host and servicename values, so your script can take the path, open the file, and read the results - no matter if it's one result or one million results.

Passed as in given, not as in exceeded. Yes, those eight are what you get.

PS is supported, just put the path to the .ps file into the alert script box with no parameters.

No, you can't. If you need to specify extra arguments such as -ExecutionPolicy you will have to wrap those in a .bat, .cmd, .ps, .py, .etc file.

How you obtained those fields in the search is not relevant, they all end up in the CSV file.

Yeah, you will need some kind of loop to deal with any number of results... I'm not a powershell guru though, so I can't help you there. I've done this in Python countless times, so I'm sure it's easy in powershell as well as long as you know powershell.

agoktas
Communicator

Thank you so much Martin.

That detail helps me understand much better.

Would you happen to have an example of your Python script so I can steal some ideas? 🙂

Thanks.

0 Karma

agoktas
Communicator

Thanks for the reply Martin.

Can you translate your response to layman's terms for me. 🙂
Sorry, I'm still a basic Splunk user and a bit more detail would be truly appreciated.

Can you elaborate a bit more on the gzipped csv results file and how/why the script can pluck what is needs from there?

What do you mean exactly that I'm already exceeding the number of arguments? I only have two (host & Named Extraction) fields that I need. Am I limited to ones that can only correspond to arg 0 - 8 in that link you provided?

Is powershell even supported with Splunk alerts 'run a script' option?

Can I just run something like this:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -File "C:\Program Files\Splunk\bin\scripts\StartRemoteService.ps1" "host" "servicename" -NoWait
from the Alert?

All I want to do is run any type of script that can start a windows service on a remote host. The only fields that we will need would be 'host' & 'servicename'. 'host' is out of the box default, and the 'servicename' was a regex Named Extraction" (I created this) to obtain the service name that I need.

I'm open to suggestions, but just thought that PowerShell would be the way to go.

Thanks!

0 Karma

agoktas
Communicator

At the same time, I'm thinking that if the results come back with multiple hosts + service names, I'll need to create some way to reference this in a For Loop in the script.

Any suggestions how to accomplish this entire process?

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...