How to run an alert script on field values generat...

aniketb · ‎08-07-2014

Hi,

I have an alert that calls a script when invoked.

The result have the 1st column as ip address [host]. I want the script to run on all IP addresses in the result.

Because host is a field generated by default in Splunk. What's the best way to call a script?

Is something like :

myscript $Host

or whatever that argument is for ip address is, possible?

Lowell · ‎08-07-2014

So you can't directly call your script with an argument the way you described above, but you can get pretty close with a simple wrapper script.

Here is something you could get started with:

run_my_script_per_host.py:

import gzip
import csv
from subprocess import call

def openany(p):
    if p.endswith(".gz"):
        return gzip.open(p)
    else:
        return open(p)

results_file = sys.argv[8]      # file with search results

for row in csv.DictReader(openany(results_file)):
    # Build a command line to call based on fields from splunk output
    my_command = [ "myscript", row["host"], ]
    call(my_command)

This script will execute myscript <HOST> for every result returned by your search.

How to run an alert script on field values generated in Splunk?

Celebrating the Winners of the ‘Splunk Build-a-thon’ Hackathon!

Why You Should Register for Splunk University at .conf25

Building Splunk proficiency is a marathon, not a sprint

Are you a member of the Splunk Community?

How to run an alert script on field values generated in Splunk?

Celebrating the Winners of the ‘Splunk Build-a-thon’ Hackathon!

Why You Should Register for Splunk University at .conf25

Building Splunk proficiency is a marathon, not a sprint