we are setting up some alerts based on a vendor script to automatically populate an Event Management Console.
The problem is that we need to extract some informations (=fileds) from Splunk raw data included in the alert to pass it as a parameter to the script itself, so we will be able to pupulate correctly the Event management console.
custombin.sh -n @event.management.console:port -b hostextractedfromsplunkdata -u userextractedfromsplunk_data
custom_bin.sh is our third party script
-n @event.management.console:port is the event management console fqdn:port
-b hostextractedfromsplunkdata is the host field indexed by splunk present in the specific record we need to extract to
-u userextractedfromsplunkdata is the user filed extracted ... like the host field
Any hint on how we can achieve it?
The eighth parameter passed to the alert script is a path to the search results. You can examine those to extract whatever info you need. http://wiki.splunk.com/Community:Use_Splunk_alerts_with_scripts_to_create_a_ticket_in_your_ticketing...
Hi Martin, thank for your answer.
I need to extract from results some fields and use they as a parameter for the third party script.
Something like the host, the username for example.
Do you know if it's possible?
It was designed by a Splunk dev team to help you learn how to build, test, and deploy apps - The reference app (named PAS) showcases proven practices using the Splunk Developer Platform and includes code that you can download, reuse and even contribute to, code walkthroughs as well as the associated unit and acceptance tests.
The featured example demonstrates how to monitor various document repositories (current and future). Managers and auditors can use the app to see who has viewed, modified, deleted, or downloaded documents or other artifacts from various sources, detect suspicious behaviors, and analyze trends.
Currently an updated version is under development that will expand the functionality, so even if it’s not relevant now you might want to keep checking to see what’s been added.