how to include search results in python custom ale...

pranay_adla · ‎07-29-2019

have a custom alert action scripts which have UI. If I give a fieldname in UI that needs to get value from search result and append to sid. How can I use $results.fieldnme$ or any other solution for this.

jaime_ramirez · ‎07-29-2019

For Custom Alert Actions tokens you could use this guide:

https://docs.splunk.com/Documentation/Splunk/7.3.0/AdvancedDev/ModAlertsLog#Pass_search_result_value...
https://docs.splunk.com/Documentation/Splunk/7.3.0/Alert/EmailNotificationTokens#Search_metadata_tok...

So in your case if you want to pass some field results (lets name it Results_To_Pass) and also the sid of the search, you could put it like this in the UI:

Results: $results.Results_To_Pass$
Search Job: $job.sid$

Then the python script would parse this and perform its particular function.

If you could provide more info it would be great.

Hope it helps.

how to include search results in python custom alert script

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation