Developing for Splunk Enterprise

How to create a custom alert action Python script with parameters from search results?

agentsofshield
Path Finder

Hi, I tried to create a custom alert action that operates a script, but I didn't understand how to send parameters from the search results to the script.

For example: a script that checks Windows version for every IP address in the search results. How do I send the results to my script? What do I have to put in alert_actions.conf and in my script?

Please try to explain instead of just sending links to Splunk Docs, I read these and still didn't find my answer.

Thanks

Labels (1)
0 Karma
1 Solution

schose
Contributor

Hi,

The results of your SPL search are passed to your custom alert action script from stdin as json format.
This example will create a file testResult.txt within bin directory.. you can check out the json there..

from __future__ import print_function
from future import standard_library
standard_library.install_aliases()
import sys, json, urllib.request, urllib.error, urllib.parse

if __name__ == "__main__":
    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
        print("FATAL Unsupported execution mode (expected --execute flag)", file=sys.stderr)
        sys.exit(1)
    else:
        #settings = json.loads(sys.stdin.read())
        result = sys.stdin.read()
        settings = json.loads(result)

        file = open("testResult.txt", "w")
        file.write(result)
        file.close()

        print("here we go", settings)
        sys.exit(0)

resulting json for search:
index=_internal | head 10 | rename host as testhost sourcetype as testsourcetype source as testsource | table testhost testsourcetype testsource

{"app":"search"...","result":{"testhost":"hostname","testsourcetype":"splunkd_ui_access","testsource":"/Users/andreas/splunk/var/log/splunk/splunkd_ui_access.log"}}

View solution in original post

schose
Contributor

Hi,

The results of your SPL search are passed to your custom alert action script from stdin as json format.
This example will create a file testResult.txt within bin directory.. you can check out the json there..

from __future__ import print_function
from future import standard_library
standard_library.install_aliases()
import sys, json, urllib.request, urllib.error, urllib.parse

if __name__ == "__main__":
    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
        print("FATAL Unsupported execution mode (expected --execute flag)", file=sys.stderr)
        sys.exit(1)
    else:
        #settings = json.loads(sys.stdin.read())
        result = sys.stdin.read()
        settings = json.loads(result)

        file = open("testResult.txt", "w")
        file.write(result)
        file.close()

        print("here we go", settings)
        sys.exit(0)

resulting json for search:
index=_internal | head 10 | rename host as testhost sourcetype as testsourcetype source as testsource | table testhost testsourcetype testsource

{"app":"search"...","result":{"testhost":"hostname","testsourcetype":"splunkd_ui_access","testsource":"/Users/andreas/splunk/var/log/splunk/splunkd_ui_access.log"}}

View solution in original post

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!