How to pass parameters from alert view result to ...

C4r7m4n · ‎04-02-2012

Hello,

I've created my additional links at alerts view, see picture below:
http://imageshack.us/photo/my-images/213/pic1bc.jpg/
at /splunk/share/splunk/search_mrsparkle/templates/alerts/index.html file. At 'My First Link":

<a href="http:google.pl" target="_blank" class="spl-icon-external-link-xsm">
<span>${('My First Link')}</span>
</a>

I put simple url like http://google.pl, works fine. But at 'My Second Link':

<a href="http://mynewurl/cgi-bin/view.fcgi?str=$hostname$:$name$&db_dir=/home/online/online-update/db&what=cgiwrapper&cgi_basename=custom.cgi&conf_fn=/home/online/online-update/conf.d/online-update.conf&period=h" target="_blank" class="spl-icon-external-link-xsm">
<span>${('My Second Link')}</span>
</a>

I want to pass two fields from ViewResult (hostname,name) to 'My Second Link' to login at machine where the alert appear. Does somebody know how to do that?

Maybe there is a file like: workflow_actions.conf where this solution:

[My Second Link]
display_location = both
fields = hostname,name
label = - Look At My Second Link
link.method = get
link.target = blank
link.uri = http://mynewurl/cgi-bin/view.fcgi?str=$hostname$:$name$&db_dir=/home/online/online-update/db&what=cg...
type = link

works perfectly fine for me.

Best Regards,
C4r7m4n

C4r7m4n · ‎04-04-2012

Anybody? Some clue?

How to pass parameters from alert view result to my new link?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?