Alerting

How to pass the username OR name of the savedsearch as parameters into the alert action itself?

tzhang_gr
New Member

Hi,

I have an alert action that triggers a python script;

In the intended workflow, this alert action can either
1. be manually executed by a user, or
2. be scheduled to execute as an alert action of several different alerts

How can I pass
1. the username that manually runs the search in case 1, and
2. the name of the alert that triggered this alert action

into the python script itself?

E.g. if user Alice@zzz.com runs

search xxx | sendalert alert_action_1

I want to use the variable "Alice@zzz.com" in the python script;

and if "Alert_ABC" triggers the action alert_action_1,
I want to use the variable "Alert_ABC" in the python script

I've got fields like "_raw" working, but couldn't find any parameters related to what/who triggered the alert action itself...

Any hints would be really appreciated!

0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

You need to create a custom alert action to run this script. You can read alert name and user from std input when custom alert action is triggered.

import sys

if __name__ == "__main__":
    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
        print >> sys.stderr, "FATAL Unsupported execution mode (expected --execute flag)"
        sys.exit(1)
    try:
        settings = json.loads(sys.stdin.read())
        alert_name = settings['search_name']
        user = settings['user']
        .....
    except Exception, e:
        print >> sys.stderr, "ERROR Unexpected error: %s" % e
        sys.exit(0)

View solution in original post

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

You need to create a custom alert action to run this script. You can read alert name and user from std input when custom alert action is triggered.

import sys

if __name__ == "__main__":
    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
        print >> sys.stderr, "FATAL Unsupported execution mode (expected --execute flag)"
        sys.exit(1)
    try:
        settings = json.loads(sys.stdin.read())
        alert_name = settings['search_name']
        user = settings['user']
        .....
    except Exception, e:
        print >> sys.stderr, "ERROR Unexpected error: %s" % e
        sys.exit(0)
0 Karma

tzhang_gr
New Member

Ah thank you! I didn't realize I was only reading the columns of the ['results_file']....tyty!

0 Karma

tzhang_gr
New Member

@manjunathmeti Sorry to bother you again -

I've given it a try, but then noticed that my "search_name" attribute is always NULL, and I don't have a "user" attribute at all in the json object passed in from stdin - is there some additional settings I need to change?

Also tried passing in a param.name="$name$" when triggering sendalert but there's still no value...(however param.test="$app$" & "$owner$" worked, although they're giving the name of the app & "system" rather than username and alertname...)

Now I'm thinking using the action.. override in savedsearches,conf to hard code the alertname, but is there any way to figure out the username?

Thanks in advance!

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Key "search_name" or u'search_name' or param.name="$name$" is available in the json payload only for scheduled alerts.

I am sorry 'user' doesn't exists in it but you can check if 'sid' or 'results_file' contain user name.

0 Karma

tzhang_gr
New Member

I see..I'll look around for the current user - thank you so much!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...