Alerting

Passing the argument to the shell script on custom alert action.

alwaysumer1
New Member

Hey there,

I've created a custom alert action on splunk. This is my directory structure:
/apps
/bin
[shell script]
/default
app.conf
alert_actions.conf
data/
ui/
alerts/
[html file]
/appserver
/static
[png file]
/README
/alert_actions.conf.spec

I'm making use of all the 8 arguments that the splunk provides, However I want to pass an argument to the shell script which the user gives on the UI. Please help

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

The username is not passed to the script.

What you may need to do is include the username as part of your search results. Its messy, but it will work. You can do so with something like the following, using the append command to add an additional row containing the username. Your script will need to look for this row/field and get the username in that fashion.

index=_internal | stats count by component | append [ rest /services/authentication/current-context/context | fields + username ]

Alternatively, your script could look at the splunk internal logs, and tie a few events together to determine who is calling the script.

0 Karma

burwell
SplunkTrust
SplunkTrust

I believe that you cannot easily do this without hacking the Splunk python code. That makes upgrades a pain. I did that for awhile. I gave up and have a variety of scripts with what I might want to pass in.

0 Karma

alwaysumer1
New Member

I've gone thru it already but didn't find the solution.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...