Alerting

how to pass custom strings from a Splunk Alert into a python script as arguments

maximusdm
Communicator

hi all, we are using the python script below to pass a JSON structure from an Splunk alert.
I need to pass 2 more custom strings but I am not sure how.
Inside a Splunk alert I have the "Description" field which I could use to type my custom string but how do I pass that down to the script as an argument?
Also, I would need to pass the 2nd custom string as another argument. How do I do that?
Here is my python script:

import json
import requests
import sys
import pprint

url = 'http://10.10.10.10:8080/api/2.0/ICTAPIHandlers/JSON.php'

if len (sys.argv) != 9 :
    print("Usage: python ict.py count terms query name reason url tags path")
    sys.exit (1)

searchCount = sys.argv[1] # $1 - Number of events returned
searchTerms = sys.argv[2] # $2 - Search terms
searchQuery = sys.argv[3] # $3 - Fully qualified query string
searchName = sys.argv[4] # $4 - Name of saved search
searchReason = sys.argv[5] # $5 - Reason saved search triggered
searchURL = sys.argv[6] # $6 - URL/Permalink of saved search
searchTags = sys.argv[7] # $7 - Always empty as of 4.1
searchPath = sys.argv[8] # $8 - Path to raw saved results in Splunk instance (advanced)

data = {"searchCount":searchCount, "searchTerms":searchTerms, "searchQuery":searchQuery, "searchName":searchName, "searchReason":searchReason, "searchURL":searchURL,"searchTags":searchTags,"searchPath":searchPath }

data_json = json.dumps(data)
headers = {'Content-type': 'application/json'}
response = requests.post(url, data=data_json, headers=headers)
pprint.pprint(response.json())
pprint.pprint(response.json()['json'])

Thank you

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend
0 Karma

maximusdm
Communicator

sorry but I didnt understand that post. Bear in mind that the 2 extra custom strings I need, I am trying to type them somewhere inside the alert and pass as a argument.
If that is not possible I could pull that info from a static file but that would only appear in the results of the query. I am new to Splunk; it is still a black box for me. Thanks.

0 Karma

woodcock
Esteemed Legend

My answer does exactly that. It is a complete walk-through. Just give the code a try.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...