Solved: Passing the output of a search to an alert script

bruceclarke · ‎01-21-2014

All,

I have an alert that runs nightly that reads the distinct databases that have encountered a given event. When the alert is run, I want to pass that list of databases to a python script that will be able to execute logic on each of the values in that list.

Is there a way to do this? Is this what the eighth argument detailed here is used for? I'm unsure as to what format that data will be in though, since I really just want the formatted list of values the search returns.

Thanks!

martin_mueller · ‎01-21-2014

Yup, the eighth argument is a path to a file containing the raw results, I believe in a .csv.gz archive.

As for the format of the data vs your expectations, just take a look at them at (roughly) $SPLUNK_HOME/var/run/splunk/dispatch/searchid/results.csv.gz on your search head.

View solution in original post

martin_mueller · ‎01-21-2014

Yup, the eighth argument is a path to a file containing the raw results, I believe in a .csv.gz archive.

As for the format of the data vs your expectations, just take a look at them at (roughly) $SPLUNK_HOME/var/run/splunk/dispatch/searchid/results.csv.gz on your search head.

bruceclarke · ‎01-22-2014

I'll give this a shot. Thanks!

jzapantis · ‎11-16-2017

I just checked and it is a .gzip online.

That is awesome, good response.

For anyone curious, the documentation is here:
http://docs.splunk.com/Documentation/Splunk/5.0/Alert/Configuringscriptedalerts

Passing the output of a search to an alert script

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability