Alerting
Highlighted

Scripted Alert to third party event managemet

Path Finder

Hi,
we are setting up some alerts based on a vendor script to automatically populate an Event Management Console.
The problem is that we need to extract some informations (=fileds) from Splunk raw data included in the alert to pass it as a parameter to the script itself, so we will be able to pupulate correctly the Event management console.

Example syntax:

custombin.sh -n @event.management.console:port -b hostextractedfromsplunkdata -u userextractedfromsplunk_data

where:

custom_bin.sh is our third party script

-n @event.management.console:port is the event management console fqdn:port

-b hostextractedfromsplunkdata is the host field indexed by splunk present in the specific record we need to extract to

-u userextractedfromsplunkdata is the user filed extracted ... like the host field

Any hint on how we can achieve it?

Regards

0 Karma
Highlighted

Re: Scripted Alert to third party event managemet

SplunkTrust
SplunkTrust

The eighth parameter passed to the alert script is a path to the search results. You can examine those to extract whatever info you need. http://wiki.splunk.com/Community:Use_Splunk_alerts_with_scripts_to_create_a_ticket_in_your_ticketing...

View solution in original post

Highlighted

Re: Scripted Alert to third party event managemet

Path Finder

Hi Martin, thank for your answer.
I need to extract from results some fields and use they as a parameter for the third party script.
Something like the host, the username for example.
Do you know if it's possible?

regards

0 Karma
Highlighted

Re: Scripted Alert to third party event managemet

SplunkTrust
SplunkTrust

The path points at a gzipped CSV file, you can pick whatever field you need from that.

0 Karma
Highlighted

Re: Scripted Alert to third party event managemet

Splunk Employee
Splunk Employee

Hi Martin,

do you have an example of the script you have been using here?

Regards

0 Karma
Highlighted

Re: Scripted Alert to third party event managemet

Path Finder

thanks martin, i solved just parsing the csv with a perl script.

0 Karma
Highlighted

Re: Scripted Alert to third party event managemet

Splunk Employee
Splunk Employee

The Splunk Developer’s Guide and the accompanying Splunk Reference App might be helpful in answering your question. The book is available in both paperback and Mobi from Amazon.

alt text
It was designed by a Splunk dev team to help you learn how to build, test, and deploy apps - The reference app (named PAS) showcases proven practices using the Splunk Developer Platform and includes code that you can download, reuse and even contribute to, code walkthroughs as well as the associated unit and acceptance tests.

The featured example demonstrates how to monitor various document repositories (current and future). Managers and auditors can use the app to see who has viewed, modified, deleted, or downloaded documents or other artifacts from various sources, detect suspicious behaviors, and analyze trends.

Currently an updated version is under development that will expand the functionality, so even if it’s not relevant now you might want to keep checking to see what’s been added.

0 Karma