Alerting

which tokens are allowed in alert_actions.conf

Contributor

Hi Forum,

I'm currently trying out to save search results in a csv file. Could you help me to find out which tokens are allowed in alert_actions.conf?

I found https://docs.splunk.com/Documentation/Splunk/7.0.2/AdvancedDev/ModAlertsLog but the descripted tokens are not working correctly.

[saveresult]
is_custom = 1
label = save results
description = save the results to a CSV file
command = outputcsv $name$_$results.count$_$result.count$_$trigger_date$_$job.searchEarliestTime$_$job.createTime$_$alert.severity$.csv

returns a csv with the filename testsaveresults5____1.csv meaning $name$, $results.count$ (btw. documented is $result.) and $alert.severty$ are returning values while the others does not.

I'd like to create filename $name$.$job.searchEarliestTime$.$job.searchLatestTime$.csv .

Thanks for your help in advance,

Andreas

Motivator
0 Karma

Champion

Hi,

Can you try something like this:

outputcsv [ | stats count | addinfo | eval info_min_time1=strftime(info_min_time, "%d-%m-%y-%H:%M:%S") | eval info_max_time1=strftime(info_max_time, "%d-%m-%y-%H:%M:%S") | eval filename = $name$ . info_min_time1 . "_" . info_max_time1  | return $filename]
0 Karma

Influencer

I have alert action to log it as event. All the tokens mentioned there are available when we log event.
Some of them are not available when we are using it as command in custom alert action.

My guess is, the job has to be complete i suppose to have all the tokens available.

This is my sample log event and it works perfectly fine

app=$app$ alert_name=$name$ severity=$alert.severity$ owner=$owner$ triggered_time=$trigger_time$ value=$result.fieldname$ job_earliest_time=$job.earliestTime$ job_latest_time=$job.latestTime$ job_run_duration=$job.runDuration$

0 Karma