Hello
I have an alert scheduled to run every 5 mins with custom conditions. What I need to do is to use these search results in a perl script. Can anyone please tell me how do I output these in a perl script? Are the emails when custom condition is met which are generated being store somewhere on splunk server? I need to use that data and extract some fields from it to call our internal mailing server to generate customized emails.
Regards
theou
I've found something interesting there...
https://github.com/georgestarcher/Splunk-Alert/blob/master/targetlist.py
http://www.georgestarcher.com/splunk-alert-scripts-automating-control/
The splunk doc is really missing some examples...
I'm also missing a good example...
Until now, answers are only telling about the way to run the script, not to get the results in the script !
Do it is necessary to take the savedsearch parameter, and to go aver API getting the results ?? This would be a pity
A couple of folks already linked to the wiki page but Splunk sets system variables for several search variables starting with '1'. My colleague and I built something similar a while back with a bash script. One of the variables, I can't recall which one, was not being populated consistently, (we're running Splunk 4.3.1), so in the end I decided just to use the SPLUNK_SEARCH_NAME variable and parse it to gather the slots I need to populate in Service Desk. Then I just name each saved search in the format 'APPLOG~CRITICALITY~ENVIRONMENT~MESSAGE' and then I can parse that out into the fields needed by SD. You could of course use map the other available variables too. Obviously you'd need to understand your ticketing system's API or commandline.
SPLUNK_EVENT_COUNT=$1
SPLUNK_SEARCH_TERMS=$2
SPLUNK_QUERY_STRING=$3
SPLUNK_SEARCH_NAME=$4
SPLUNK_ALERT_TRIGGER=$5
SPLUNK_SEARCH_URL=$6
SPLUNK_SEARCH_RESULTS=$8
Sorry for the large bold text, I'm not sure what happened there.
Why don't you use a script for the alert? Just supply a shell script (or batch script) that runs your perl program.
Splunk supplies a number of arguments to the script, including a URL to view the search results and a link to the file containing the raw search results.
More info here:Configure Scripted Alerts
But how will I create a perl script to extract specific fields unless I see how the result is being generated on a *nix machine? Do you mean to say that I can specify the fieldnames from the table which is being created when the savedsearch is run in my perl script?
A scheduled search can be configured to execute a script as well as send an email. Currently, I think it will only support a bash script, which you can then use to call the perl script. The link below gives you an idea how this happens: