Alerting

how to pass custom strings from a Splunk Alert into a python script as arguments

maximusdm
Communicator

hi all, we are using the python script below to pass a JSON structure from an Splunk alert.
I need to pass 2 more custom strings but I am not sure how.
Inside a Splunk alert I have the "Description" field which I could use to type my custom string but how do I pass that down to the script as an argument?
Also, I would need to pass the 2nd custom string as another argument. How do I do that?
Here is my python script:

import json
import requests
import sys
import pprint

url = 'http://10.10.10.10:8080/api/2.0/ICTAPIHandlers/JSON.php'

if len (sys.argv) != 9 :
    print("Usage: python ict.py count terms query name reason url tags path")
    sys.exit (1)

searchCount = sys.argv[1] # $1 - Number of events returned
searchTerms = sys.argv[2] # $2 - Search terms
searchQuery = sys.argv[3] # $3 - Fully qualified query string
searchName = sys.argv[4] # $4 - Name of saved search
searchReason = sys.argv[5] # $5 - Reason saved search triggered
searchURL = sys.argv[6] # $6 - URL/Permalink of saved search
searchTags = sys.argv[7] # $7 - Always empty as of 4.1
searchPath = sys.argv[8] # $8 - Path to raw saved results in Splunk instance (advanced)

data = {"searchCount":searchCount, "searchTerms":searchTerms, "searchQuery":searchQuery, "searchName":searchName, "searchReason":searchReason, "searchURL":searchURL,"searchTags":searchTags,"searchPath":searchPath }

data_json = json.dumps(data)
headers = {'Content-type': 'application/json'}
response = requests.post(url, data=data_json, headers=headers)
pprint.pprint(response.json())
pprint.pprint(response.json()['json'])

Thank you

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend
0 Karma

maximusdm
Communicator

sorry but I didnt understand that post. Bear in mind that the 2 extra custom strings I need, I am trying to type them somewhere inside the alert and pass as a argument.
If that is not possible I could pull that info from a static file but that would only appear in the results of the query. I am new to Splunk; it is still a black box for me. Thanks.

0 Karma

woodcock
Esteemed Legend

My answer does exactly that. It is a complete walk-through. Just give the code a try.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...