$result.fieldname$ not available in script

sunilm411 · ‎07-13-2016

I am trying to understand how scripted alerts work in splunk.

I have the basic echo.sh which prints out the arguments to a file but when I add $result.$ it shows as empty.
I am able to see the result.fieldname when I pass it to send email alert action.

jpolcari · ‎07-15-2016

I've been looking to do the same thing but have no found an easy way of doing this. The best answer I have found is to take SPLUNK_ARG_8 and use the gzip'd results to parse out the hostname.

somesoni2 · ‎07-13-2016

I think these are the only parameter available in script alert action

Arg Environment Variable    Value
0   SPLUNK_ARG_0    Script name
1   SPLUNK_ARG_1    Number of events returned
2   SPLUNK_ARG_2    Search terms
3   SPLUNK_ARG_3    Fully qualified query string
4   SPLUNK_ARG_4    Name of report
5   SPLUNK_ARG_5    Trigger reason
For example, "The number of events was greater than 1."

6   SPLUNK_ARG_6    Browser URL to view the report.
7   SPLUNK_ARG_7    Not used for historical reasons.
8   SPLUNK_ARG_8    File in which the results for the search are stored.
Contains raw results in gzip file format.

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Configuringscriptedalerts

$result.fieldname$ not available in script

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life