Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Scripted Alert to third party event managemet

bizza
Path Finder
‎07-16-2014 03:41 AM

Hi,
we are setting up some alerts based on a vendor script to automatically populate an Event Management Console.
The problem is that we need to extract some informations (=fileds) from Splunk raw data included in the alert to pass it as a parameter to the script itself, so we will be able to pupulate correctly the Event management console.

Example syntax:

custom_bin.sh -n @event.management.console:port -b host_extracted_from_splunk_data -u user_extracted_from_splunk_data

where:

custom_bin.sh is our third party script

-n @event.management.console:port is the event management console fqdn:port

-b host_extracted_from_splunk_data is the host field indexed by splunk present in the specific record we need to extract to

-u user_extracted_from_splunk_data is the user filed extracted ... like the host field

Any hint on how we can achieve it?

Regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-16-2014 06:04 AM

The eighth parameter passed to the alert script is a path to the search results. You can examine those to extract whatever info you need. http://wiki.splunk.com/Community:Use_Splunk_alerts_with_scripts_to_create_a_ticket_in_your_ticketing...

View solution in original post

Reply
Solved! Jump to solution

rcorbisier_splu
Splunk Employee
Splunk Employee
‎10-21-2015 12:29 PM

The Splunk Developer’s Guide and the accompanying Splunk Reference App might be helpful in answering your question. The book is available in both paperback and Mobi from Amazon.

alt text
It was designed by a Splunk dev team to help you learn how to build, test, and deploy apps - The reference app (named PAS) showcases proven practices using the Splunk Developer Platform and includes code that you can download, reuse and even contribute to, code walkthroughs as well as the associated unit and acceptance tests.

The featured example demonstrates how to monitor various document repositories (current and future). Managers and auditors can use the app to see who has viewed, modified, deleted, or downloaded documents or other artifacts from various sources, detect suspicious behaviors, and analyze trends.

Currently an updated version is under development that will expand the functionality, so even if it’s not relevant now you might want to keep checking to see what’s been added.

Preview file
104 KB
0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-16-2014 06:04 AM

The eighth parameter passed to the alert script is a path to the search results. You can examine those to extract whatever info you need. http://wiki.splunk.com/Community:Use_Splunk_alerts_with_scripts_to_create_a_ticket_in_your_ticketing...

Reply
Solved! Jump to solution

bizza
Path Finder
‎07-17-2014 03:05 AM

thanks martin, i solved just parsing the csv with a perl script.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-16-2014 07:17 AM

The path points at a gzipped CSV file, you can pick whatever field you need from that.

0 Karma
Reply
Solved! Jump to solution

rsiekermann_spl
Splunk Employee
Splunk Employee
‎07-24-2015 07:03 AM

Hi Martin,

do you have an example of the script you have been using here?

Regards

0 Karma
Reply
Solved! Jump to solution

bizza
Path Finder
‎07-16-2014 06:19 AM

Hi Martin, thank for your answer.
I need to extract from results some fields and use they as a parameter for the third party script.
Something like the host, the username for example.
Do you know if it's possible?

regards

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...