Alerting

Passing the argument to the shell script on custom alert action.

alwaysumer1
New Member

Hey there,

I've created a custom alert action on splunk. This is my directory structure:
/apps
/bin
[shell script]
/default
app.conf
alert_actions.conf
data/
ui/
alerts/
[html file]
/appserver
/static
[png file]
/README
/alert_actions.conf.spec

I'm making use of all the 8 arguments that the splunk provides, However I want to pass an argument to the shell script which the user gives on the UI. Please help

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

The username is not passed to the script.

What you may need to do is include the username as part of your search results. Its messy, but it will work. You can do so with something like the following, using the append command to add an additional row containing the username. Your script will need to look for this row/field and get the username in that fashion.

index=_internal | stats count by component | append [ rest /services/authentication/current-context/context | fields + username ]

Alternatively, your script could look at the splunk internal logs, and tie a few events together to determine who is calling the script.

0 Karma

burwell
SplunkTrust
SplunkTrust

I believe that you cannot easily do this without hacking the Splunk python code. That makes upgrades a pain. I did that for awhile. I gave up and have a variety of scripts with what I might want to pass in.

0 Karma

alwaysumer1
New Member

I've gone thru it already but didn't find the solution.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...