Developing for Splunk Enterprise

How to create a custom alert action Python script with parameters from search results?

Path Finder

Hi, I tried to create a custom alert action that operates a script, but I didn't understand how to send parameters from the search results to the script.

For example: a script that checks Windows version for every IP address in the search results. How do I send the results to my script? What do I have to put in alert_actions.conf and in my script?

Please try to explain instead of just sending links to Splunk Docs, I read these and still didn't find my answer.

Thanks

Labels (1)
0 Karma
1 Solution

Contributor

Hi,

The results of your SPL search are passed to your custom alert action script from stdin as json format.
This example will create a file testResult.txt within bin directory.. you can check out the json there..

from __future__ import print_function
from future import standard_library
standard_library.install_aliases()
import sys, json, urllib.request, urllib.error, urllib.parse

if __name__ == "__main__":
    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
        print("FATAL Unsupported execution mode (expected --execute flag)", file=sys.stderr)
        sys.exit(1)
    else:
        #settings = json.loads(sys.stdin.read())
        result = sys.stdin.read()
        settings = json.loads(result)

        file = open("testResult.txt", "w")
        file.write(result)
        file.close()

        print("here we go", settings)
        sys.exit(0)

resulting json for search:
index=_internal | head 10 | rename host as testhost sourcetype as testsourcetype source as testsource | table testhost testsourcetype testsource

{"app":"search"...","result":{"testhost":"hostname","testsourcetype":"splunkd_ui_access","testsource":"/Users/andreas/splunk/var/log/splunk/splunkd_ui_access.log"}}

View solution in original post

Contributor

Hi,

The results of your SPL search are passed to your custom alert action script from stdin as json format.
This example will create a file testResult.txt within bin directory.. you can check out the json there..

from __future__ import print_function
from future import standard_library
standard_library.install_aliases()
import sys, json, urllib.request, urllib.error, urllib.parse

if __name__ == "__main__":
    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
        print("FATAL Unsupported execution mode (expected --execute flag)", file=sys.stderr)
        sys.exit(1)
    else:
        #settings = json.loads(sys.stdin.read())
        result = sys.stdin.read()
        settings = json.loads(result)

        file = open("testResult.txt", "w")
        file.write(result)
        file.close()

        print("here we go", settings)
        sys.exit(0)

resulting json for search:
index=_internal | head 10 | rename host as testhost sourcetype as testsourcetype source as testsource | table testhost testsourcetype testsource

{"app":"search"...","result":{"testhost":"hostname","testsourcetype":"splunkd_ui_access","testsource":"/Users/andreas/splunk/var/log/splunk/splunkd_ui_access.log"}}

View solution in original post