Hii,
Lets say I have an alert where I trigger a script based on some condition.
Now my question is, is it possible to call another saved search from that script??
I have already created a script through which I call a saved search but problem lies within the authorization I guess, as while executing its asking for my credentials.
All is summary, is it possible to call saved search from another one based on some condition??
Create 1st search and add the name of your script.
In script, use the curl command to trigger the 2nd search. In the script save the password directly and restrict the access of script.
Or create another file perms where you can save 64bit encrypted password and read the password in the first script from there.
Thanks Kamal,
Do you have a sample script for triggering that 2nd search?
Thanks again
jitsinha,
Did you ever figure out a solution for this? I'm looking to do something similar. If an alert gets triggered from one report, we need another search to run as part of that alert.
Thanks
Chris
You could configure a command in commands.conf and set passAuth=true, so splunk will pas an authentication token to stdin of the script/command. You can process this in your script with:
sessionKey = sys.stdin.readline().strip()
tokenize = re.match( r'(.)(.)
Sorry limited knowledge from command.conf front. If possible would you please elaborate?
Hi Jitsinha!
Half of my answer was gone i realise 🙂 you could create a script that performs your wanted actions (a search) against the REST API. You can access the REST API with the auth token that is passed when configured in commands.conf. In that case, you don't create a spunk alert, but append your script directly to the search you wanted to create the alert on: | script python . Maybe a bit of a long shot though .....
Thanks baerts for your quick response.
Sorry I might not be clear in my question.
Actually I want to trigger a second saved search based on the completion status of the first search.
So lets say I have one saved search "A". I have scheduled is to run at 1Am everyday. Now this search basically a summary search which populates a summary index "IDX-A".
Now I have another saved search "B" which extract the information from summary index IDX-A and do some validation.
Now All what I want to do is to call this saved search "B" from a script which I will be calling from saved search "A"
Thankx musskopf.
But the problem lies with credential sharing. As it will be visible to all persons having access to that script.
Any alternative/ tweak??
So.. are you calling the following search using the splunk console or api? Both you should be able to pass the credentials, for example:
./splunk search 'index=_internal | fields _time | head 1 ' -auth 'admin:secret123'