I was able to make splunk send alert to my
abc_pythonscript correctly after configuring commands.conf
| makeresults | eval myfield="some_raw_message" | table myfield| script abc_pythonscript myfield
But when I look into the arguments coming to my script, is
myfield rather than the value within it. I was expecting the value of "some_raw_message" to be passed to my script.
Is it a mistake I'm doing or any better ways to do this?
This worked for me:
step 1. in search box of web interface
| makeresults | jonsnow dest="bbb", source="bla-bla-bla"
step 2. for "jonsnow" custom command to work
write this in commands.conf
filename = jonsnow.py
and this to local.meta of the same Splunk app
access = read : [ * ], write : [ admin, power ]
export = system
owner = myusername
step 3. the script itself (jonsnow.py)
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()
xxx = argvals['xxx']
yyy = argvals['yyy']
subprocess.call(["sh", "./jonsnow.sh", xxx, yyy])
I have a similar requirement. Would be helpful if you could share the script how you are passing the splunk alert values into a python script.
1. create a python script (say my_python_script)
2. Ensure it has permissions to read from the app context
3. Run your base query and output results as you wish for your python script
4. and as answer given above pass those into a "map" command