We are currently using scripted alerts from saved/scheduled searches to alert into our NetCool instance. Everything, but one part, is working great as we are using the following output variables to get the needed information for the Netcool alert.
SPLUNK_ARG_0 Script name
SPLUNK_ARG_1 Number of events returned
SPLUNK_ARG_2 Search terms
SPLUNK_ARG_3 Fully qualified query string
SPLUNK_ARG_4 Name of saved search
SPLUNK_ARG_5 Trigger reason (for example, "The number of events was greater than 1")
SPLUNK_ARG_6 Browser URL to view the saved search
SPLUNK_ARG_8 File in which the results for this search are stored (contains raw results)
The one issue is with our Search Heads that are running SSO and Splunk is listening on an internal port of 8081 instead of the normal 443. When a Splunk alert fires and sends the information into Netcool, it uses port 443 in the URL provided as SPLUNK_ARG_6
.
Is it possible to change the URL provided under SPLUNK_ARG_6
to use the internal port number instead of 443? And, yes, we know that we could break apart the variable in the script and replace the port number, but we would prefer to do it through a config change if it is possible.
Please let me know if you have any questions and thanks in advance for the help.
In your alert script, you could use sed to search for the undesired port and replace it with the correct one:
SPLUNK_URL="echo $SPLUNK_ARG_6|sed 's/8081/443/g'"
In your alert script, you could use sed to search for the undesired port and replace it with the correct one:
SPLUNK_URL="echo $SPLUNK_ARG_6|sed 's/8081/443/g'"